CVE-2025-13066
Published: 05 December 2025
Summary
CVE-2025-13066 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file type validation flaw by requiring checks on information inputs like uploaded WXR files to block arbitrary file uploads.
Mandates timely flaw remediation, such as patching the Demo Importer Plus plugin beyond version 2.0.6, to eliminate the arbitrary file upload vulnerability.
Enforces least privilege to restrict author-level users from accessing demo import functions, reducing the attack surface for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin exploitable by low-privileged authenticated users (author+), enabling RCE via T1190 (Exploit Public-Facing Application) and facilitating privilege escalation from web user to system access via T1068 (Exploitation for Privilege Escalation).
NVD Description
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while…
more
being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2025-13066 is an arbitrary file upload vulnerability affecting the Demo Importer Plus plugin for WordPress in all versions up to and including 2.0.6. The issue stems from insufficient file type validation when handling WXR files, which permits double extension files to bypass sanitization while still being accepted as valid imports. This flaw is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with author-level access or higher can exploit this vulnerability remotely without user interaction. By uploading specially crafted files during the demo import process, they can place arbitrary files on the affected WordPress site's server, potentially enabling remote code execution depending on server permissions and file types.
Mitigation details are available in advisories from Wordfence and a patch committed to the plugin's Trac repository at https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers, along with further analysis at https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve. Security practitioners should update to a patched version of the plugin beyond 2.0.6 and review access controls for author roles.
Details
- CWE(s)