Demo Importer Plus < 2.0.7 – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass | CVE 2025-13066 | Plugin Vulnerabilities

Description

The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

demo-importer-plus

Fixed in 2.0.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

7bc019d2-1a66-415a-88dd-4750d2a09bab

Timeline

Publicly Published

2025-12-04 (about 5 months ago)

Added

2025-12-04 (about 5 months ago)

Last Updated

2025-12-05 (about 5 months ago)

Other

Published

Title

Published

2024-08-07

Title

BerqWP < 1.7.7 - Unauthenticated Arbitrary File Uplaod

Published

2025-10-10

Title

Ovatheme Events Manager < 1.8.6 - Unauthenticated Arbitrary File Upload

Published

2016-06-03

Title

WP Mobile Detector < 3.6 - Unauthenticated Arbitrary File Upload

Published

2025-10-28

Title

Contact Form 7 PDF, Google Sheet & Database < 3.1.0 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2015-09-14

Title

EZ SQL Reports < 4.11.37 - Authenticated Arbitrary File Download