CVE-2025-12733
Published: 13 November 2025
Summary
CVE-2025-12733 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the code injection flaw in the WP All Import plugin's eval() usage, directly preventing exploitation of CVE-2025-12733.
Mandates input validation at import template entry points to sanitize or reject unsanitized user-supplied input before it reaches the vulnerable pmxi_if eval() function.
Enforces least privilege to restrict import capabilities to only essential users, reducing the risk of authenticated attackers exploiting the RCE vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing WordPress plugin (T1190) through code injection in crafted import templates processed with eval() (T1221).
NVD Description
The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized…
more
user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.
Deeper analysisAI
CVE-2025-12733 is a remote code execution vulnerability affecting the WP All Import plugin for WordPress, which enables importing XML, CSV, or Excel files. All versions up to and including 3.9.6 are vulnerable due to the use of the eval() function on unsanitized user-supplied input within the pmxi_if function in the helpers/functions.php file. This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), was published on 2025-11-13.
Authenticated attackers with import capabilities, typically administrators, can exploit this vulnerability by crafting malicious import templates. By injecting arbitrary PHP code into these templates, attackers can achieve remote code execution on the affected WordPress server, potentially leading to full server compromise including data theft, modification, or further lateral movement.
References include the vulnerable code at line 79 in helpers/functions.php of version 3.9.6, a related changeset in the plugin's repository, and a Wordfence threat intelligence advisory detailing the issue. Security practitioners should review these sources for patch details, such as updates beyond version 3.9.6, and immediately update the plugin or restrict import access to mitigate risk.
Details
- CWE(s)