Demo Importer Plus < 2.0.10 – Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload | CVE 2025-14478 | Plugin Vulnerabilities

Description

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.

Affects Plugins

demo-importer-plus

Fixed in 2.0.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b

Classification

Type

XXE

OWASP top 10

A4: XML External Entities (XXE)

CWE

CVSS

Miscellaneous

Original Researcher

bosz

Verified

No

WPVDB ID

ae2e6377-3bca-44c9-a68d-9149c4bf0af6

Timeline

Publicly Published

2026-01-16 (about 4 months ago)

Added

2026-01-16 (about 4 months ago)

Last Updated

2026-01-17 (about 4 months ago)

Other

Published

Title

Published

2013-06-21

Title

WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)

Published

2025-06-03

Title

Category Icon <= 1.0.3 - Author+ XML External Entity Injection

Published

2015-06-10

Title

WooCommerce 2.0.20-2.3.10 - Object Injection / XXE

Published

2014-09-16

Title

WordPress 3.6 - 3.9.1 XXE in GetID3 Library

Published

2024-10-07

Title

TablePress < 2.4.3 - XXE Injection