Login Sign Up

CVE-2025-47453

8.1 HIGH

📋 TL;DR

This vulnerability allows attackers to include and execute arbitrary local PHP files on WordPress sites using the WP Smart Import plugin. Attackers can leverage this to read sensitive files, execute code, or escalate privileges. All WordPress sites running WP Smart Import version 1.1.3 or earlier are affected.

💻 Affected Systems

Products:
  • Xylus Themes WP Smart Import WordPress Plugin
Versions: n/a through 1.1.3
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with vulnerable plugin version. PHP configuration with allow_url_include disabled does not prevent local file inclusion.

📦 What is this software?

Wp Smart Import by Xylusthemes

View all CVEs affecting Wp Smart Import →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete site takeover via remote code execution.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials), limited code execution, or privilege escalation.

🟢

If Mitigated

Unauthorized file reads limited to web-accessible directories if proper file permissions are configured.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests can trigger the vulnerability. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.4

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-smart-import/vulnerability/wordpress-wp-smart-import-1-1-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Smart Import. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.1.4 from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-smart-import

Web Application Firewall Rule

all

Block requests containing local file inclusion patterns targeting the plugin.

🧯 If You Can't Patch

  • Remove the plugin completely if not essential
  • Implement strict file permissions and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Smart Import version. If version is 1.1.3 or earlier, you are vulnerable.

Check Version:

wp plugin get wp-smart-import --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.4 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /wp-content/plugins/wp-smart-import/ with suspicious file parameters
  • PHP include/require errors in web server logs

Network Indicators:

  • Unusual file read patterns from web server
  • Requests with ../ sequences or absolute paths in parameters

SIEM Query:

web.url:*wp-smart-import* AND (web.param:*../* OR web.param:*php://* OR web.param:*file=*)

📊 Metadata

CVE ID: CVE-2025-47453
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
EPSS Score: 0.16% exploit probability (36.7th percentile)
Published: May 23, 2025
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47453, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)