CVE-2025-2332

CVE-2025-2332 is a PHP Object Injection vulnerability (CWE-502) affecting the Export All Posts, Products, Orders, Refunds & Users plugin for WordPress in all versions up to and including 2.13. The issue arises from deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function within the ExportExtension.php file, enabling unauthenticated attackers to inject a PHP object. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low complexity, and potential for high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious input that triggers the deserialization. On its own, the plugin lacks a known Proof-of-Concept (POP) chain, rendering it non-exploitable for direct harm. However, if another plugin or theme on the target WordPress site provides a POP chain, attackers could leverage the injected object to perform severe actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the specific chain available.

Mitigation details are available in referenced advisories and patches. The Wordfence threat intelligence page provides analysis of the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/9546ab46-737c-4bd3-9542-8ab1b776b3ea?source=cve). A fix appears in WordPress plugin changeset 3257504 (https://plugins.trac.wordpress.org/changeset/3257504/), and the vulnerable code location is documented at https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L3332. Security practitioners should update to a patched version beyond 2.13 and audit co-installed plugins/themes for POP chains.