CVE-2025-1971
Published: 22 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-1971 is a PHP Object Injection vulnerability (CWE-502) affecting the Export and Import Users and Customers plugin for WordPress in all versions up to and including 2.6.2. The issue arises from deserialization of untrusted input via the 'form_data' parameter in the plugin's export and import AJAX handlers, enabling authenticated attackers with Administrator-level access or higher to inject arbitrary PHP objects. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-22.
Exploitation requires an authenticated attacker with administrator privileges or above, who can leverage the deserialization flaw to inject PHP objects. By itself, the vulnerable plugin contains no known Property-Oriented Programming (POP) chain, resulting in no direct impact. However, if another plugin or theme on the target WordPress site provides a POP chain, the attacker could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code, depending on the capabilities of that chain.
Mitigation details are available in referenced advisories and sources, including Wordfence threat intelligence and WordPress plugin trac repositories. A patch appears in changeset 3259688, with affected code visible in the export and import AJAX class files; security practitioners should update to a version beyond 2.6.2 via the plugin's developers page on WordPress.org.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization vulnerability in public-facing WordPress plugin enables authenticated admin attackers to inject PHP objects; if chained with a POP chain from another component, facilitates arbitrary code execution on the server.