Description
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-03-27
Score: 9.8 Critical
EPSS: 2.1% Low
KEV: No
Impact: Unauthenticated PHP Object Injection with potential code execution
Action: Apply Update
AI Analysis

Impact

The vulnerability in the Export All Posts, Products, Orders, Refunds & Users plugin allows unauthenticated attackers to inject a PHP object during a deserialization process in the returnMetaValueAsCustomerInput function. Because the plugin uses the PHP unserialize() function on data that can be controlled by external actors, a crafted serialized payload can create an arbitrary PHP object when processed. While the plugin itself does not contain a protected object property (POP) chain, the injected object can be leveraged by other POP-capable plugins or themes on the same site to delete files, read sensitive data, or execute arbitrary code, depending on the available chain.

Affected Systems

The vulnerability affects all WordPress installations that have SMACKcoders’ Export All Posts, Products, Orders, Refunds & Users plugin version 2.13 or earlier. Any site using the plugin in a vulnerable state is at risk; versions released after 2.13 have no known instance of this issue.

Risk and Exploitability

The technical risk is reflected in a CVSS base score of 9.8 and an EPSS of 2 %, indicating a high likelihood of exploitation but not extreme. Attackers can reach the vulnerable code over the network via unauthenticated HTTP requests. The absence of an internal POP chain reduces the immediacy of the risk, but the presence of any POP-capable plugin or theme on the same site transforms the vulnerability into a high‑severity remote code execution vector. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.14 or newer
  • If an update is not possible, deactivate or remove the plugin until a fix is released
  • Inspect the site for any additional plugins or themes that may contain a POP chain and update or eliminate them
  • Restrict access to the plugin’s deserialization endpoint to authenticated users or remove the vulnerable function from the public API

Generated by OpenCVE AI on April 21, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8283 The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Thu, 27 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:01.964Z

Reserved: 2025-03-14T23:51:13.643Z

Link: CVE-2025-2332

cve-icon Vulnrichment

Updated: 2025-03-27T14:38:32.365Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T06:15:28.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses