{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13066", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T13:23:44.451Z", "datePublished": "2025-12-05T03:28:36.875Z", "dateUpdated": "2026-04-08T17:02:59.512Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:59.512Z"}, "affected": [{"vendor": "kraftplugins", "product": "Demo Importer Plus", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Demo Importer Plus <= 2.0.6 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-11-12T13:39:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-04T14:25:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T15:57:49.015463Z", "id": "CVE-2025-13066", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:58:13.597Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-05T15:57:49.015463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:58:08.392Z"}}], "cna": {"title": "Demo Importer Plus <= 2.0.6 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "kraftplugins", "product": "Demo Importer Plus", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T13:39:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-04T14:25:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers"}], "descriptions": [{"lang": "en", "value": "The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:59.512Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13066", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:59.512Z", "dateReserved": "2025-11-12T13:23:44.451Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T03:28:36.875Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-13066", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T04:15:59.757", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:47:41.000553+00:00", "value": {"mitigation_remediation": ["Update Demo Importer Plus to a version newer than 2.0.6.", "Reduce author capabilities by disabling the plugin for non\u2011admin users or restricting the upload feature to administrators only.", "Enforce strict file type validation on the server, for example by configuring WordPress or the web server to reject files that do not match the MIME type of WXR files and block double extensions."], "summary": {"action": "Patch Now", "impact": "Arbitrary file upload with potential remote code execution"}, "threat_synthesis": {"affected_systems": "Kraftplugins\u2019 Demo Importer Plus 2.0.6 and earlier. The vulnerability affects all WordPress sites that have the plugin installed at or below the specified version; no other products are affected. Sites must verify the installed plugin version and ensure it is not within the vulnerable range.", "description_and_impact": "The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to 2.0.6. The flaw arises from insufficient file type validation, which allows double\u2011extension files to bypass sanitization while being accepted as a valid WXR file. Authenticated attackers with author or higher privileges can upload arbitrary files to the site\u2019s server, potentially enabling remote code execution. This is a classic CWE\u2011434 file upload vulnerability that threatens confidentiality, integrity, and availability of the affected WordPress environment.", "risk_and_exploitability": "The flaw carries a CVSS base score of 8.8, classifying it as high severity. The EPSS score of <1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, legitimate authors or higher role users can exploit the upload bypass to place malicious files on the server, making the risk significant for sites where authors can upload files. Attackers would need user credentials and the author capability; the path requires no additional privileges beyond those granted by the role. Given the severity and the potential for RCE, the vulnerability represents a serious threat if an attacker can gain such credentials or trick a legitimate user into uploading a malicious payload."}}}}, "created": "2025-12-05T10:52:02.424206+00:00", "updated": "2026-04-21T18:00:11.706068+00:00", "vendors": ["kraftplugins", "kraftplugins$PRODUCT$demo_importer_plus", "wordpress", "wordpress$PRODUCT$wordpress"]}