CVE-2025-14478
Published: 17 January 2026
Summary
CVE-2025-14478 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14478 is an XML External Entity Injection (XXE) vulnerability (CWE-611) in the Demo Importer Plus plugin for WordPress, affecting all versions up to and including 2.0.9. The issue arises in the SVG file upload functionality and only impacts sites running PHP versions older than 8.0.
Authenticated attackers with Author-level access or higher can exploit this vulnerability to achieve code execution in vulnerable configurations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Advisories reference vulnerable code in the plugin's inc/importers/class-demo-importer-plus-sites-helper.php file at line 88, as shown in WordPress plugin trac browsers for version 2.0.6 and trunk, along with changeset 3439643. Additional details are available in the Wordfence threat intelligence report.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3148
Vulnerability details
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and…
more
above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in public WordPress plugin upload enables remote code execution for authenticated attackers, mapping directly to public-facing app exploitation and command/script interpreter usage.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of XML content in SVG file uploads to prevent processing of external entities that enable XXE attacks.
Requires timely remediation of the identified XXE flaw in the Demo Importer Plus plugin by applying patches or updates beyond version 2.0.9.
Mandates secure configuration settings for PHP and XML parsers (e.g., disabling external entity expansion in libxml) to block XXE exploitation on vulnerable PHP versions.