CVE-2025-14364
📋 TL;DR
The Demo Importer Plus WordPress plugin has a critical vulnerability that allows authenticated attackers with Subscriber-level access or higher to trigger a full site reset, delete all database tables except users/usermeta, and gain Administrator privileges. This affects all versions up to and including 2.0.8. Any WordPress site using this vulnerable plugin is at risk.
💻 Affected Systems
- Demo Importer Plus WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site destruction with all content and configuration lost, attacker gains full administrative control over the WordPress installation.
Likely Case
Attacker resets site to default WordPress installation, gains admin access, and potentially installs backdoors or malware.
If Mitigated
With proper access controls and monitoring, impact limited to temporary service disruption before detection and recovery.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3420645/demo-importer-plus/trunk/inc/Ajax.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Demo Importer Plus. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Immediate Plugin Deactivation
allDeactivate the vulnerable plugin to prevent exploitation while planning permanent fix.
wp plugin deactivate demo-importer-plus
Restrict User Registration
allDisable new user registration to prevent attackers from creating Subscriber accounts.
Update WordPress Settings > General > Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Immediately deactivate and remove the Demo Importer Plus plugin from all WordPress installations
- Implement strict access controls: limit user registration, review existing user accounts, and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Demo Importer Plus version <= 2.0.8Check Version:
wp plugin list --name=demo-importer-plus --field=versionVerify Fix Applied:
Verify plugin version is 2.0.9 or higher, or confirm plugin is completely removed from plugins directory📡 Detection & Monitoring
Log Indicators:
- wp_install() calls in WordPress logs
- Database DROP TABLE operations
- User role changes from Subscriber to Administrator
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=demo_importer_plus_ajax_handler
SIEM Query:
source="wordpress.log" AND ("wp_install" OR "DROP TABLE" OR "user role changed")