CVE-2025-13145 HIGH

CVE-2025-13145: WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import

Vendor Smackcoders
Product WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress
Weakness CWE-502 · Unsafe deserialization
Published November 19, 2025
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Explanation of Vulnerability in Simple Terms

02Summary

WP Ultimate CSV Importer versions up to 7.33.1 contain a deserialization vulnerability that allows high-privilege users to execute arbitrary PHP code on the site. An attacker with admin or editor access can craft malicious serialized data to trigger code execution during CSV import operations. This affects all installations of the plugin up to the stated version.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with the privileges of the WordPress user performing the import.

Potential impact on your site

04Site Impact

A compromised admin or editor account can be used to execute code, modify site data, or install backdoors.

Conditions required to exploit

05Prerequisites

Attacker must have high-level WordPress privileges (admin or editor role) and network access to the site.

Key dates

06Disclosure timeline

November 19, 2025 CVE published
April 8, 2026 Record updated