Cyber Resilience

CVE-2025-1913

HighRCE

Published: 26 March 2025

Published
26 March 2025
Modified
05 December 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 50.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1913 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Webtoffee Product Import Export For Woocommerce. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection through unsafe deserialization of untrusted input supplied in the form_data parameter. The flaw affects all versions through 2.5.0 and is tracked under CWE-502. No POP chain exists inside the plugin itself, so the issue only becomes exploitable when another plugin or theme on the same site supplies a usable chain.

An authenticated attacker with Administrator privileges can supply a crafted serialized object via the affected import module. Depending on the additional POP chain present, successful exploitation can result in arbitrary file deletion, sensitive data disclosure, or remote code execution. The vulnerability carries a CVSS 3.1 score of 7.2.

Public references point to a patched release in changeset 3261194 and updated plugin files on the WordPress Trac and plugin repository. Administrators are advised to update to a version newer than 2.5.0; Wordfence and the plugin developers have published the corresponding advisory and fix details.

EPSS for the CVE rose from a low baseline to a peak of 0.0179 on 2026-02-03 before receding to the current value of 0.0026, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes…

more

it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

PHP Object Injection (deserialization) in public-facing WordPress plugin allows authenticated admins to achieve RCE/file ops if external POP chain present, directly mapping to exploitation of public-facing app and Unix shell command execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1912Same product: Webtoffee Product Import Export For Woocommerce
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-11465Same product class: WordPress / CMS plugin
CVE-2024-13923Same product class: WordPress / CMS plugin
CVE-2025-2485Same product class: WordPress / CMS plugin
CVE-2025-1971Same vendor: Webtoffee
CVE-2024-13831Same product class: WordPress / CMS plugin
CVE-2026-32502Shared CWE-502
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2026-24989Shared CWE-502

Affected Assets

webtoffee
product import export for woocommerce
≤ 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely patching and remediation of the PHP object deserialization flaw in the WooCommerce plugin versions up to 2.5.0.

prevent

Requires validation of untrusted inputs like the 'form_data' parameter to block PHP object injection via unsafe deserialization.

detect

Facilitates vulnerability scanning to identify CVE-2025-1913 and potential POP chains in co-installed plugins or themes.

References