CVE-2025-13066
📋 TL;DR
The Demo Importer Plus WordPress plugin allows authenticated attackers with author-level access or higher to upload arbitrary files due to insufficient validation of WXR files. This vulnerability enables remote code execution by uploading malicious files to the server. All WordPress sites using this plugin up to version 2.0.6 are affected.
💻 Affected Systems
- WordPress Demo Importer Plus plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, leading to data theft, site defacement, malware distribution, or complete system takeover.
Likely Case
Attackers upload web shells or backdoors to gain persistent access, execute arbitrary commands, and potentially pivot to other systems.
If Mitigated
Attackers can only upload files but cannot execute them due to proper file permissions or security controls.
🎯 Exploit Status
Exploitation requires author-level WordPress credentials. Attack tools targeting this vulnerability are likely available in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Demo Importer Plus and click 'Update Now'. 4. Verify plugin version is 2.0.7 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Demo Importer Plus plugin until patched
wp plugin deactivate demo-importer-plus
Restrict file uploads
allUse web application firewall to block double extension file uploads
🧯 If You Can't Patch
- Remove author-level access from untrusted users
- Implement file integrity monitoring on WordPress uploads directory
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Demo Importer Plus version. If version is 2.0.6 or lower, you are vulnerable.Check Version:
wp plugin get demo-importer-plus --field=versionVerify Fix Applied:
Verify plugin version is 2.0.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful author-level login
- Unusual file uploads to wp-content/uploads directory
- POST requests to /wp-admin/admin-ajax.php with import actions
Network Indicators:
- HTTP POST requests with double extension files (.php.wxr, .jpg.php)
- Unusual outbound connections from WordPress server after file upload
SIEM Query:
source="wordpress.log" AND ("demo-importer-plus" OR "import_wxr") AND ("upload" OR "import") AND status=200