CVE-2025-14478
📋 TL;DR
The Demo Importer Plus WordPress plugin contains an XML External Entity Injection vulnerability in SVG file upload functionality. Authenticated attackers with Author-level access can exploit this to achieve code execution on vulnerable WordPress sites running PHP versions older than 8.0.
💻 Affected Systems
- Demo Importer Plus WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, and server takeover.
Likely Case
File system access, sensitive data extraction, and potential privilege escalation.
If Mitigated
Limited impact if proper file upload restrictions and PHP hardening are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained. XXE vulnerabilities are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Demo Importer Plus. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.1.0+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable XML external entity processing
allConfigure PHP to disable external entity loading in XML parsing
php -d 'libxml_disable_entity_loader=true'
Restrict SVG file uploads
linuxBlock SVG file uploads through WordPress or web server configuration
Add to .htaccess: <FilesMatch "\.svg$">
Order Deny,Allow
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Upgrade PHP to version 8.0 or higher immediately
- Remove or disable the Demo Importer Plus plugin entirely
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Demo Importer Plus version. If version is 2.0.9 or lower and PHP version is below 8.0, the site is vulnerable.Check Version:
wp plugin list --name=demo-importer-plus --field=versionVerify Fix Applied:
Verify plugin version is 2.1.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author-level users
- XML parsing errors in PHP logs
- Unexpected file system access attempts
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with SVG uploads
- Outbound connections to external entities during XML parsing
SIEM Query:
source="wordpress.log" AND ("svg" OR "xml" OR "demo-importer-plus") AND ("upload" OR "import")🔗 References
- https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88
- https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88
- https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve
