PHP Object Injection Vulnerability in WP Import – Ultimate CSV XML Importer Plugin
CVE-2025-13145

7.2HIGH

Key Information:

Vendor: WordPress
Status: WP Import – Ultimate Csv Xml Importer For WordPress
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-13145?

The WP Import – Ultimate CSV XML Importer plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to improper handling of untrusted data during the CSV file import process. Specifically, the flaw exists in the import_single_post_as_csv function located in SingleImportExport.php. This vulnerability allows attackers with administrator-level access to leverage object injection to potentially exploit other vulnerabilities present in the system, such as deleting arbitrary files or executing malicious code, especially if an exploitable PHP object pollution (POP) chain is established through additional plugins or themes.

Affected Version(s)

WP Import – Ultimate CSV XML Importer for WordPress * <= 7.33.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...

https://plugins.trac.wordpress.org/changeset/3397842/wp-u...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 13, 2025

Credit

Dieu Link

GCSC Vietnam

JSON