Description
The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Exposure via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Design Import/Export plugin for WordPress is vulnerable to SQL Injection through the XML file import function. Because the plugin fails to escape user supplied data and does not use prepared statements, an attacker who can upload a crafted XML file can insert additional SQL statements into the existing database query. This flaw, identified as CWE-89, enables the extraction of sensitive information from the database by virtue of the elevated privileges afforded to the attacker. The vulnerability therefore primarily threatens data confidentiality.

Affected Systems

All installations of the xul Design Import/Export – Styles, Templates, Template Parts and Patterns plugin up to and including release 2.2 are affected. The flaw is only reachable when an authenticated user with administrator-level privileges imports an XML file; users without such elevated rights cannot trigger the vulnerability.

Risk and Exploitability

The CVSS score of 4.9 signals moderate severity, largely limited to confidentiality impact. The EPSS score of less than 1% indicates that, as of the time of analysis, exploitation attempts are expected to be rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker who compromises an administrator account or gains legitimate admin access could insert arbitrary SQL, read private data, and potentially manipulate database contents. The risk remains moderate but is confined to environments where privileged accounts are exposed.

Generated by OpenCVE AI on April 21, 2026 at 00:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Design Import/Export plugin to any version newer than 2.2 to remove the SQL injection flaw
  • Restrict the use of the XML import feature to the minimum number of trusted administrator accounts, or temporarily downgrade administrators to lower privilege roles while the import operation is performed
  • If an upgrade is not immediately possible or the import feature is not required, fully deactivate or delete the Design Import/Export plugin to eliminate the attack surface

Generated by OpenCVE AI on April 21, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Design Import/Export <= 2.2 - Authenticated (Administrator+) SQL Injection via XML File Import
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:17.401Z

Reserved: 2025-12-04T17:03:14.940Z

Link: CVE-2025-14050

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:53.803Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:47.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses