CVE-2025-13145 – This vulnerability allows authenticated WordPre... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated WordPress administrators to perform PHP object injection by uploading malicious CSV files through the WP Import plugin. Attackers can exploit this to delete files, steal data, or execute arbitrary code if a suitable POP chain exists via other plugins/themes. Only WordPress sites using vulnerable versions of the WP Import plugin are affected.

💻 Affected Systems

Products:

WP Import – Ultimate CSV XML Importer for WordPress

Versions: All versions up to and including 7.33.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator-level WordPress access and CSV import functionality enabled

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or website defacement

🟠

Likely Case

File deletion or sensitive data exposure through existing POP chains in common plugins

🟢

If Mitigated

Limited impact if proper file upload restrictions and admin access controls are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires admin access and a suitable POP chain via other vulnerable plugins/themes

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.33.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WP Import – Ultimate CSV XML Importer'
4. Click 'Update Now' if available
5. If no update appears, manually download version 7.33.2+ from WordPress.org

🔧 Temporary Workarounds

Disable CSV Import Functionality

all

Temporarily disable the vulnerable import feature

Edit wp-config.php and add: define('DISALLOW_FILE_EDIT', true);

Restrict Admin Access

all

Limit administrator accounts and implement 2FA

🧯 If You Can't Patch

Disable or uninstall the WP Import plugin entirely
Implement strict file upload validation and monitoring for CSV imports

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → WP Import plugin version. If version is 7.33.1 or lower, you are vulnerable.

Check Version:

wp plugin list --name='wp-ultimate-csv-importer' --field=version

Verify Fix Applied:

Verify plugin version is 7.33.2 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual CSV file uploads by admin users
POST requests to /wp-admin/admin-ajax.php with import actions
PHP errors related to unserialize() in SingleImportExport.php

Network Indicators:

Large CSV uploads to WordPress admin endpoints
Unexpected outbound connections after CSV imports

SIEM Query:

source="wordpress.log" AND ("import_single_post_as_csv" OR "SingleImportExport.php") AND status=200

📊 Metadata

CVE ID: CVE-2025-13145

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.14% exploit probability (34.5th percentile)

Published: November 19, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13145, you might also want to check these: