CVE-2025-1913
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to inject PHP objects via deserialization of untrusted input in the Product Import Export for WooCommerce plugin. The impact depends on whether other plugins/themes with POP chains are installed. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Product Import Export for WooCommerce - Import Export Product CSV Suite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could achieve remote code execution, file deletion, or data exfiltration.
Likely Case
Limited impact since no POP chain exists in the vulnerable plugin itself; exploitation requires specific additional vulnerable components.
If Mitigated
With proper access controls limiting administrator accounts, the attack surface is minimal.
🎯 Exploit Status
Exploitation requires administrator credentials and depends on presence of POP chains in other installed components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.5.0
Vendor Advisory: https://wordpress.org/plugins/product-import-export-for-woo/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Product Import Export for WooCommerce'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 2.5.0.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the plugin until patched
Restrict administrator accounts
allMinimize number of administrator accounts and implement strong authentication
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts
- Monitor for suspicious administrator activity and plugin usage
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Product Import Export for WooCommerce. If version is 2.5.0 or lower, you are vulnerable.Check Version:
wp plugin list --name='product-import-export-for-woo' --field=versionVerify Fix Applied:
Verify plugin version is above 2.5.0 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity, especially related to product import/export functions
- POST requests to /wp-admin/admin-ajax.php with 'form_data' parameter containing serialized data
Network Indicators:
- HTTP requests to WordPress admin-ajax endpoints with serialized PHP objects in parameters
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "form_data" AND ("O:" OR "C:" OR "a:" OR "s:"))🔗 References
- https://github.com/S0haib518-KSA/CVE-2025-1913-PoC/
- https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/import/classes/class-import-ajax.php
- https://plugins.trac.wordpress.org/changeset/3261194/
- https://wordpress.org/plugins/product-import-export-for-woo/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d4464bb1-273a-42c4-a7ec-8e123d286963?source=cve
