PHP Object Injection Vulnerability in Product Import Export for WooCommerce by WordPress
CVE-2025-1913

7.2HIGH

Key Information:

Vendor: WordPress
Status: Product Import Export For WooCommerce – Import Export Product Csv Suite
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-1913?

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input from the 'form_data' parameter. This vulnerability affects all versions up to and including 2.5.0 and allows authenticated attackers with Administrator-level access or higher to inject arbitrary PHP objects. While no known PHP Object Pollution (POP) chain exists within the vulnerable software itself, the exploitation of this flaw can lead to significant risks if additional plugins or themes containing a POP chain are present. Such scenarios could enable attackers to perform dangerous actions like file deletion, sensitive data retrieval, or unauthorized code execution.

Affected Version(s)

Product Import Export for WooCommerce – Import Export Product CSV Suite * <= 2.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/product-import...

https://wordpress.org/plugins/product-import-export-for-w...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Mar 3, 2025

Credit

Hay Mizrachi