CVE-2025-12733

High

Published: 13 November 2025

Published

13 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized…

user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the code injection flaw in the WP All Import plugin's eval() usage, directly preventing exploitation of CVE-2025-12733.

SI-10 Information Input Validation good match

prevent

Mandates input validation at import template entry points to sanitize or reject unsanitized user-supplied input before it reaches the vulnerable pmxi_if eval() function.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict import capabilities to only essential users, reducing the risk of authenticated attackers exploiting the RCE vulnerability.

Security SummaryAI

CVE-2025-12733 is a remote code execution vulnerability affecting the WP All Import plugin for WordPress, which enables importing XML, CSV, or Excel files. All versions up to and including 3.9.6 are vulnerable due to the use of the eval() function on unsanitized user-supplied input within the pmxi_if function in the helpers/functions.php file. This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), was published on 2025-11-13.

Authenticated attackers with import capabilities, typically administrators, can exploit this vulnerability by crafting malicious import templates. By injecting arbitrary PHP code into these templates, attackers can achieve remote code execution on the affected WordPress server, potentially leading to full server compromise including data theft, modification, or further lateral movement.

References include the vulnerable code at line 79 in helpers/functions.php of version 3.9.6, a related changeset in the plugin's repository, and a Wordfence threat intelligence advisory detailing the issue. Security practitioners should review these sources for patch details, such as updates beyond version 3.9.6, and immediately update the plugin or restrict import access to mitigate risk.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution via exploitation of a public-facing WordPress plugin (T1190) through code injection in crafted import templates processed with eval() (T1221).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve
security@wordfence.com