{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13133", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T18:10:42.350Z", "datePublished": "2025-11-18T09:27:37.077Z", "dateUpdated": "2026-04-08T16:46:52.332Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:52.332Z"}, "affected": [{"vendor": "vaniivan", "product": "Simple User Import Export", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration"}], "title": "Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve"}, {"url": "https://it.wordpress.org/plugins/a3-user-importer/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File", "cweId": "CWE-1236", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "baseScore": 6.6, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-17T20:52:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:21:02.061747Z", "id": "CVE-2025-13133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:32:02.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:21:02.061747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:23:29.954Z"}}], "cna": {"title": "Simple User Import Export <= 1.1.7 - Authenticated (Admin+) CSV Injection", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"}}], "affected": [{"vendor": "vaniivan", "product": "Simple User Import Export", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T20:52:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve"}, {"url": "https://it.wordpress.org/plugins/a3-user-importer/"}], "descriptions": [{"lang": "en", "value": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:52.332Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13133", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:52.332Z", "dateReserved": "2025-11-13T18:10:42.350Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T09:27:37.077Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration"}], "id": "CVE-2025-13133", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T10:15:49.420", "references": [{"source": "security@wordfence.com", "url": "https://it.wordpress.org/plugins/a3-user-importer/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:32:14.338656+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple User Import Export plugin to version 1.1.8 or later, which removes the CSV injection flaw.", "If an upgrade is not possible, disable the export feature for users without Administrator privileges or restrict export access entirely to reduce the attack surface.", "Sanitize or escape exported CSV content to ensure that any user-supplied data is treated strictly as plain text, preventing spreadsheet formulas from being interpreted when the file is opened locally."], "summary": {"action": "Immediate Patch", "impact": "Potential code execution via CSV injection"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Simple User Import Export plugin by vaniivan, on WordPress sites that run any version of the plugin 1.1.7 or earlier. Administrators or users with higher privileges can trigger the flaw via the plugin\u2019s import/export interface.", "description_and_impact": "The Simple User Import Export WordPress plugin contains a CSV injection flaw affecting all releases up to 1.1.7. The flaw arises when an authenticated Administrator uses the import/export feature to write untrusted data into exported CSV files. If a victim opens the exported file on a local system with a vulnerable spreadsheet or CSV parser, the injected formula or code can be executed, leading to arbitrary code execution on the victim\u2019s machine. This weakness is identified as CWE-1236.", "risk_and_exploitability": "The CVSS score of 6.6 reflects a moderate severity, with the EPSS score indicating a very low probability of exploitation in the current environment and the vulnerability not listed in the CISA KEV catalog. Because an attacker must first be authenticated with Administrator-level access, the threat vector is limited to privileged users. However, once a CSV file containing injected payloads is exported, the risk shifts to any end user who subsequently opens the file locally on a system that interprets spreadsheet formulas, potentially allowing remote code execution on that user\u2019s machine."}}}}, "created": "2025-11-18T14:15:53.555514+00:00", "updated": "2026-04-22T00:45:04.148247+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}