The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin contains a PHP Object Injection vulnerability that is triggered by deserializing untrusted input from the 'form_data' parameter. An attacker who is authenticated with Administrator or higher privileges can submit crafted input to inject a PHP object. The vulnerability is classified as CWE-502, a generic lack of proper sanitization of serialized data. Because the plugin itself does not include a known proof‑of‑concept (POP) chain, the injection alone does not directly allow code execution or data exfiltration. However, if another plugin or theme with a vulnerable POP chain is installed on the same WordPress site, the injected object could be leveraged to delete arbitrary files, retrieve sensitive data, or execute code, depending on the specifics of that chain.

The affected software is the WebToffee Product Import Export for WooCommerce plugin, all versions up to and including 2.5.0. Users running any of these versions on a WordPress installation are vulnerable.

The CVSS score of 7.2 indicates a moderate to high severity. The EPSS score of <1% indicates a lower, but still realistic, probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Because exploitation requires authenticated access with at least Administrator privileges, the attack vector is internal but limited to users who can log into the WordPress admin interface. The lack of an existing POP chain in the plugin reduces immediate risk, yet the potential for a cascading attack when combined with other vulnerable extensions remains a significant concern.