The Demo Importer Plus plugin for WordPress contains an XML External Entity injection flaw that can be triggered through its SVG file upload feature. When an authenticated user with Author-level access or higher uploads a specially crafted SVG file, the plugin’s XML parser may process external entities and cause code execution on the server. This weakness is identified as CWE-611 and allows attackers to run arbitrary code, potentially compromising the entire WordPress installation in environments using PHP versions older than 8.0.

Sites that use the kraftplugins:Demo Importer Plus WordPress plugin with versions 2.0.9 or earlier are affected. The vulnerability is limited to installations that employ PHP versions below 8.0, and the attack requires the user to possess at least Author rights or higher on the WordPress site.

The CVSS score for this issue is 7.5, indicating a high severity. The EPSS score is less than 1%, suggesting a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not presently listed in the CISA KEV catalog. The attack vector requires an authenticated user to upload a malicious SVG file, which disproportionately targets sites that allow authors to publish media and do not restrict file types. In the absence of any official patch, attackers could abuse this flaw by crafting a payload that exploits PHP’s XML parser to execute arbitrary code. Administrative or technical details to exploit are not disclosed in the public description, but the compromise path is clear: authenticated upload → XML entity processing → code execution. The high severity, coupled with the fact that the flaw exists in a commonly used plugin, warrants immediate attention.