A high-severity vulnerability has been discovered in the "WP Import – Ultimate CSV XML Importer for WordPress" plugin. This flaw, identified as CVE-2025-13145, could allow an attacker to execute arbitrary code on the affected website by uploading a specially crafted file. Successful exploitation could lead to a complete compromise of the website, including data theft and service disruption.

The vulnerability is a PHP Object Injection flaw. It exists because the plugin improperly handles user-supplied data during the import process, passing it to an unserialize() function without proper validation. An authenticated attacker could exploit this by crafting a malicious CSV or XML file containing a serialized PHP object, which, when processed by the plugin, could trigger a Property-Oriented Programming (POP) chain, leading to arbitrary code execution on the server.

This vulnerability is rated as High severity with a CVSS score of 7.2. A successful exploit could have significant business consequences, including a full compromise of the WordPress site. Potential impacts include the theft of sensitive data (such as customer information, user credentials, and proprietary content), website defacement, injection of malicious content to attack site visitors, and using the compromised server to launch further attacks against the internal network. Reputational damage and potential regulatory fines related to a data breach are also significant risks.

Immediate Action:

• Immediately update the "WP Import – Ultimate CSV XML Importer for WordPress" plugin to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.
• Review WordPress security settings, user roles, and permissions to ensure adherence to the principle of least privilege.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to the plugin's import endpoints, especially those containing long, encoded strings indicative of serialized objects.
• Implement a Web Application Firewall (WAF) with rules designed to detect and block PHP Object Injection payloads.
• Monitor the file system for any unauthorized or unexpected file modifications, particularly within the WordPress core, theme, and plugin directories.

Compensating Controls:

• If immediate patching is not feasible, disable the plugin until a patch can be applied.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.
• Enhance server-side security by disabling potentially dangerous PHP functions if they are not required for legitimate application functionality.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and the potential for complete system compromise, organizations are strongly advised to apply the recommended remediation actions immediately. Prioritize updating the affected plugin across all WordPress instances. Although this CVE is not currently listed on the CISA KEV catalog, its impact on a widely used platform makes it a high-value target for attackers, and prompt patching is critical to prevent potential exploitation.