Cyber Posture

CVE-2025-14478

High

Published: 17 January 2026

Published
17 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 29.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14478 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

SI-4 System Monitoring
addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

XXE in public WordPress plugin upload enables remote code execution for authenticated attackers, mapping directly to public-facing app exploitation and command/script interpreter usage.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and…

more

above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.

Deeper analysisAI

CVE-2025-14478 is an XML External Entity Injection (XXE) vulnerability (CWE-611) in the Demo Importer Plus plugin for WordPress, affecting all versions up to and including 2.0.9. The issue arises in the SVG file upload functionality and only impacts sites running PHP versions older than 8.0.

Authenticated attackers with Author-level access or higher can exploit this vulnerability to achieve code execution in vulnerable configurations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Advisories reference vulnerable code in the plugin's inc/importers/class-demo-importer-plus-sites-helper.php file at line 88, as shown in WordPress plugin trac browsers for version 2.0.6 and trunk, along with changeset 3439643. Additional details are available in the Wordfence threat intelligence report.

Details

CWE(s)
CWE-611

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-49352Shared CWE-611
CVE-2024-56322Shared CWE-611
CVE-2025-65482Shared CWE-611
CVE-2023-38693Shared CWE-611
CVE-2025-0162Shared CWE-611
CVE-2025-61813Shared CWE-611
CVE-2026-41066Shared CWE-611
CVE-2024-56324Shared CWE-611
CVE-2026-1567Shared CWE-611
CVE-2024-49781Shared CWE-611

References