Cyber Resilience

CVE-2025-14478

High

Published: 17 January 2026

Published
17 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 33.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14478 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-14478 is an XML External Entity Injection (XXE) vulnerability (CWE-611) in the Demo Importer Plus plugin for WordPress, affecting all versions up to and including 2.0.9. The issue arises in the SVG file upload functionality and only impacts sites running PHP versions older than 8.0.

Authenticated attackers with Author-level access or higher can exploit this vulnerability to achieve code execution in vulnerable configurations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Advisories reference vulnerable code in the plugin's inc/importers/class-demo-importer-plus-sites-helper.php file at line 88, as shown in WordPress plugin trac browsers for version 2.0.6 and trunk, along with changeset 3439643. Additional details are available in the Wordfence threat intelligence report.

EU & UK References

Vulnerability details

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and…

more

above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

XXE in public WordPress plugin upload enables remote code execution for authenticated attackers, mapping directly to public-facing app exploitation and command/script interpreter usage.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-38693Shared CWE-611
CVE-2025-65482Shared CWE-611
CVE-2024-56322Shared CWE-611
CVE-2024-49352Shared CWE-611
CVE-2024-2374Shared CWE-611
CVE-2026-3603Shared CWE-611
CVE-2026-41066Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2025-68493Shared CWE-611
CVE-2024-46603Shared CWE-611

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of XML content in SVG file uploads to prevent processing of external entities that enable XXE attacks.

prevent

Requires timely remediation of the identified XXE flaw in the Demo Importer Plus plugin by applying patches or updates beyond version 2.0.9.

prevent

Mandates secure configuration settings for PHP and XML parsers (e.g., disabling external entity expansion in libxml) to block XXE exploitation on vulnerable PHP versions.

References