CVE-2025-1913
Published: 26 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-1913 is a PHP Object Injection vulnerability (CWE-502) affecting the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress, in all versions up to and including 2.5.0. The flaw arises from deserialization of untrusted input in the 'form_data' parameter, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with admin privileges or above, who can leverage the deserialization to inject objects. While no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin itself, rendering it low-impact in isolation, the presence of a POP chain from another installed plugin or theme could enable severe outcomes such as arbitrary file deletion, sensitive data retrieval, or arbitrary code execution, depending on the chain.
Wordfence's threat intelligence advisory and WordPress plugin trac references, including changeset 3261194, detail mitigation efforts, with patches applied to address the deserialization issue in the plugin's import AJAX handler (class-import-ajax.php). Security practitioners should update to versions beyond 2.5.0 and review co-installed plugins/themes for potential POP chains. A proof-of-concept is available on GitHub for testing.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
PHP Object Injection (deserialization) in public-facing WordPress plugin allows authenticated admins to achieve RCE/file ops if external POP chain present, directly mapping to exploitation of public-facing app and Unix shell command execution.