CVE-2025-13133
📋 TL;DR
The Simple User Import Export WordPress plugin contains a CSV injection vulnerability that allows authenticated administrators to embed malicious formulas in exported CSV files. When these files are downloaded and opened in spreadsheet applications like Excel or LibreOffice, they can execute arbitrary code on the victim's local system. This affects all WordPress sites using the plugin version 1.1.7 or earlier.
💻 Affected Systems
- Simple User Import Export WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator access exports a CSV file containing malicious formulas that, when opened by a victim, executes arbitrary code on their local system, potentially leading to full system compromise.
Likely Case
An attacker with compromised administrator credentials exports user data containing malicious CSV formulas that execute when opened by IT staff or other administrators, leading to local system compromise.
If Mitigated
With proper security controls, the impact is limited to local system compromise of users who open malicious CSV files, but the WordPress site itself remains secure.
🎯 Exploit Status
Exploitation requires administrator-level access to WordPress. CSV injection techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.8 or later
Vendor Advisory: https://it.wordpress.org/plugins/a3-user-importer/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Simple User Import Export'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate a3-user-importer
Restrict Administrator Access
allLimit administrator accounts to trusted personnel only and implement strong authentication
🧯 If You Can't Patch
- Implement strict access controls for WordPress administrator accounts
- Educate users about the risks of opening CSV files from untrusted sources and disable automatic formula execution in spreadsheet applications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Simple User Import Export → Version. If version is 1.1.7 or lower, system is vulnerable.Check Version:
wp plugin get a3-user-importer --field=versionVerify Fix Applied:
After updating, verify plugin version is 1.1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple CSV export operations by same administrator in short time
- Unusual administrator login patterns
Network Indicators:
- CSV file downloads from WordPress admin area
SIEM Query:
source="wordpress" AND (plugin="a3-user-importer" AND version<="1.1.7") OR (action="csv_export" AND user_role="administrator")