CVE-2025-12733

EPSS 0.29%
Veröffentlicht 13.11.2025 03:27:38
Zuletzt bearbeitet 14.11.2025 16:42:03
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic

The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.

Mögliche Gegenmaßnahme

Import any XML, CSV or Excel File to WordPress: Update to version 4.0.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Import any XML, CSV or Excel File to WordPress

Version * - 3.9.6

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerwpallimport

≫

Produkt Import any XML, CSV or Excel File to WordPress

Default Statusunaffected

Version <= 3.9.6

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.518

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve

https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-12733

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12733

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12733

EUVD