CVE-2025-1913
Published: 26 March 2025
Summary
CVE-2025-1913 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Webtoffee Product Import Export For Woocommerce. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection through unsafe deserialization of untrusted input supplied in the form_data parameter. The flaw affects all versions through 2.5.0 and is tracked under CWE-502. No POP chain exists inside the plugin itself, so the issue only becomes exploitable when another plugin or theme on the same site supplies a usable chain.
An authenticated attacker with Administrator privileges can supply a crafted serialized object via the affected import module. Depending on the additional POP chain present, successful exploitation can result in arbitrary file deletion, sensitive data disclosure, or remote code execution. The vulnerability carries a CVSS 3.1 score of 7.2.
Public references point to a patched release in changeset 3261194 and updated plugin files on the WordPress Trac and plugin repository. Administrators are advised to update to a version newer than 2.5.0; Wordfence and the plugin developers have published the corresponding advisory and fix details.
EPSS for the CVE rose from a low baseline to a peak of 0.0179 on 2026-02-03 before receding to the current value of 0.0026, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8124
Vulnerability details
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes…
more
it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP Object Injection (deserialization) in public-facing WordPress plugin allows authenticated admins to achieve RCE/file ops if external POP chain present, directly mapping to exploitation of public-facing app and Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely patching and remediation of the PHP object deserialization flaw in the WooCommerce plugin versions up to 2.5.0.
Requires validation of untrusted inputs like the 'form_data' parameter to block PHP object injection via unsafe deserialization.
Facilitates vulnerability scanning to identify CVE-2025-1913 and potential POP chains in co-installed plugins or themes.