Description
The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.
Published: 2025-11-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the use of eval() on unsanitized user input within the pmxi_if function of the WP All Import plugin. This allows an authenticated attacker who has import privileges, such as an administrator, to craft import templates that contain arbitrary PHP code. When the import process evaluates the template, the injected code is executed on the server, granting the attacker full control over the affected WordPress installation.

Affected Systems

The flaw affects the WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin, in all released versions up to and including 3.9.6. No later releases are listed as vulnerable, so sites running 3.9.7 or newer are presumed safe.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is not yet widespread but still possible. Because the issue requires authenticated administrator access, the risk is limited to sites with weak account controls or excessive admin privileges. The remote code execution payload can be delivered via a crafted import file, and the plugin’s lack of input validation makes the exploit straightforward for an insider or a compromised admin account. Sites are not listed in the CISA KEV catalog, but the functionality provides a direct code execution path that should be mitigated promptly.

Generated by OpenCVE AI on April 21, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP All Import to the latest available version (3.9.7 or newer), which removes the unsanitized eval usage.
  • If an immediate upgrade is not possible, temporarily disable the plugin or revoke import capabilities from administrator accounts to prevent the exploit path.
  • Apply the principle of least privilege: limit admin accounts and enforce strong password policies to reduce the likelihood that an attacker can gain the necessary authenticated access.

Generated by OpenCVE AI on April 21, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpallimport
Wpallimport import Any Xml
Vendors & Products Wordpress
Wordpress wordpress
Wpallimport
Wpallimport import Any Xml

Thu, 13 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.
Title Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpallimport Import Any Xml
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:24.229Z

Reserved: 2025-11-04T22:13:08.724Z

Link: CVE-2025-12733

cve-icon Vulnrichment

Updated: 2025-11-13T14:27:31.195Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T04:15:46.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses