CVE-2025-2332
Published: 27 March 2025
Summary
CVE-2025-2332 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions through 2.13. The flaw stems from unsafe deserialization of untrusted input inside the returnMetaValueAsCustomerInput function, which permits an attacker to supply a serialized PHP object. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the vulnerability over the network by sending a crafted request that triggers object injection. Because the plugin itself contains no POP chain, successful exploitation requires the presence of a second vulnerable plugin or theme that supplies a usable chain; when such a chain exists, the attacker may be able to delete arbitrary files, exfiltrate sensitive data, or execute arbitrary code.
The Wordfence advisory and the linked WordPress plugin changeset indicate that the vendor addressed the issue by updating the affected code path; site administrators should apply the patch released in changeset 3257504 or upgrade to a version newer than 2.13.
EPSS for the CVE rose from a low baseline to a peak of 0.0212 on 2026-02-03 before receding, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8283
Vulnerability details
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for…
more
unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables remote unauthenticated exploitation of public-facing WordPress plugin (T1190); facilitates arbitrary code execution or data manipulation if POP chain present from other components (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly patches the deserialization vulnerability in the Export All Posts plugin via update beyond version 2.13, preventing PHP object injection.
Information input validation ensures untrusted data passed to the returnMetaValueAsCustomerInput function is checked before deserialization, blocking malicious PHP objects.
User-installed software restrictions prevent deployment of the vulnerable plugin or co-installed plugins/themes providing exploitable POP chains.