WordPress Plugin Vulnerabilities

WP Import – Ultimate CSV XML Importer for WordPress < 7.34 - Authenticated (Administrator+) PHP Object Injection via CSV Import

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.34

References

CVE
CVE-2025-13145
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Dieu Link, GCSC Vietnam
Verified
No
WPVDB ID
647826e3-e19d-4bad-8fce-e5da9cae06ff

Timeline

Publicly Published
2025-11-18 (about 5 months ago)
Added
2025-11-18 (about 5 months ago)
Last Updated
2025-11-19 (about 5 months ago)

Other

Published
Title
Published
2024-09-27
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.16.2 - Unauthenticated PHP Object Injection
Published
2024-10-24
Title
Namaste! LMS < 2.6.4 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-10-14
Title
Recently <= 1.1 - Unauthenticated PHP Object Injection
Published
2026-02-27
Title
Pizza House <= 1.4.0 - Unauthenticated PHP Object Injection
Published
2022-10-10
Title
Customizer Export/Import < 0.9.5 - Admin+ PHP Objection Injection