CVE-2025-13066

CVE-2025-13066 is an arbitrary file upload vulnerability affecting the Demo Importer Plus plugin for WordPress in all versions up to and including 2.0.6. The issue stems from insufficient file type validation when handling WXR files, which permits double extension files to bypass sanitization while still being accepted as valid imports. This flaw is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with author-level access or higher can exploit this vulnerability remotely without user interaction. By uploading specially crafted files during the demo import process, they can place arbitrary files on the affected WordPress site's server, potentially enabling remote code execution depending on server permissions and file types.

Mitigation details are available in advisories from Wordfence and a patch committed to the plugin's Trac repository at https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers, along with further analysis at https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve. Security practitioners should update to a patched version of the plugin beyond 2.0.6 and review access controls for author roles.