CVE-2025-13133 MEDIUM

CVE-2025-13133: Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection

Vendor Vaniivan
Product Simple User Import Export
Weakness CWE-1236
Published November 18, 2025
Last update April 8, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration

Explanation of Vulnerability in Simple Terms

02Summary

Simple User Import Export versions up to 1.1.7 contain a vulnerability that allows high-privilege users to read sensitive data, modify site content, or disrupt service. The flaw affects multiple security functions and can impact the broader site environment. A high-privilege account is required to exploit this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service availability.

Potential impact on your site

04Site Impact

High-privilege accounts (admins) could be compromised to leak data, alter content, or cause downtime.

Conditions required to exploit

05Prerequisites

Attacker must have high-privilege account access; no user interaction required.

Key dates

06Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated