CVE-2025-1913
Published: 26 March 2025
Summary
CVE-2025-1913 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Webtoffee Product Import Export For Woocommerce. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely patching and remediation of the PHP object deserialization flaw in the WooCommerce plugin versions up to 2.5.0.
Requires validation of untrusted inputs like the 'form_data' parameter to block PHP object injection via unsafe deserialization.
Facilitates vulnerability scanning to identify CVE-2025-1913 and potential POP chains in co-installed plugins or themes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP Object Injection (deserialization) in public-facing WordPress plugin allows authenticated admins to achieve RCE/file ops if external POP chain present, directly mapping to exploitation of public-facing app and Unix shell command execution.
NVD Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes…
more
it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Deeper analysisAI
CVE-2025-1913 is a PHP Object Injection vulnerability (CWE-502) affecting the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress, in all versions up to and including 2.5.0. The flaw arises from deserialization of untrusted input in the 'form_data' parameter, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with admin privileges or above, who can leverage the deserialization to inject objects. While no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin itself, rendering it low-impact in isolation, the presence of a POP chain from another installed plugin or theme could enable severe outcomes such as arbitrary file deletion, sensitive data retrieval, or arbitrary code execution, depending on the chain.
Wordfence's threat intelligence advisory and WordPress plugin trac references, including changeset 3261194, detail mitigation efforts, with patches applied to address the deserialization issue in the plugin's import AJAX handler (class-import-ajax.php). Security practitioners should update to versions beyond 2.5.0 and review co-installed plugins/themes for potential POP chains. A proof-of-concept is available on GitHub for testing.
Details
- CWE(s)