CVE-2025-13133 - Vulnerability Details

- Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection

Description

The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration

Published: 2025-11-18

Score: 6.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Simple User Import Export WordPress plugin contains a CSV injection flaw affecting all releases up to 1.1.7. The flaw arises when an authenticated Administrator uses the import/export feature to write untrusted data into exported CSV files. If a victim opens the exported file on a local system with a vulnerable spreadsheet or CSV parser, the injected formula or code can be executed, leading to arbitrary code execution on the victim’s machine. This weakness is identified as CWE-1236.

Affected Systems

The vulnerability applies to the Simple User Import Export plugin by vaniivan, on WordPress sites that run any version of the plugin 1.1.7 or earlier. Administrators or users with higher privileges can trigger the flaw via the plugin’s import/export interface.

Risk and Exploitability

The CVSS score of 6.6 reflects a moderate severity, with the EPSS score indicating a very low probability of exploitation in the current environment and the vulnerability not listed in the CISA KEV catalog. Because an attacker must first be authenticated with Administrator-level access, the threat vector is limited to privileged users. However, once a CSV file containing injected payloads is exported, the risk shifts to any end user who subsequently opens the file locally on a system that interprets spreadsheet formulas, potentially allowing remote code execution on that user’s machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vaniivan

Simple User Import Export

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.7

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Simple User Import Export plugin to version 1.1.8 or later, which removes the CSV injection flaw.
If an upgrade is not possible, disable the export feature for users without Administrator privileges or restrict export access entirely to reduce the attack surface.
Sanitize or escape exported CSV content to ensure that any user-supplied data is treated strictly as plain text, preventing spreadsheet formulas from being interpreted when the file is opened locally.

Generated by OpenCVE AI on April 22, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://it.wordpress.org/plugins/a3-user-importer/
https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve

History

Tue, 18 Nov 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 18 Nov 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration
Title		Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection
Weaknesses		CWE-1236
References		https://it.wordpress.org/plugins/a3-user-importer/ https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve
Metrics		cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-18T09:27:37.077Z

Updated: 2026-04-08T16:46:52.332Z

Reserved: 2025-11-13T18:10:42.350Z

Link: CVE-2025-13133

Vulnrichment

Updated: 2025-11-18T21:23:29.954Z

NVD

Status : Deferred

Published: 2025-11-18T10:15:49.420

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13133

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses

CWE-1236

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object