Cyber Resilience

CVE-2025-2332

CriticalRCE

Published: 27 March 2025

Published
27 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 68.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2332 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions through 2.13. The flaw stems from unsafe deserialization of untrusted input inside the returnMetaValueAsCustomerInput function, which permits an attacker to supply a serialized PHP object. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the vulnerability over the network by sending a crafted request that triggers object injection. Because the plugin itself contains no POP chain, successful exploitation requires the presence of a second vulnerable plugin or theme that supplies a usable chain; when such a chain exists, the attacker may be able to delete arbitrary files, exfiltrate sensitive data, or execute arbitrary code.

The Wordfence advisory and the linked WordPress plugin changeset indicate that the vendor addressed the issue by updating the affected code path; site administrators should apply the patch released in changeset 3257504 or upgrade to a version newer than 2.13.

EPSS for the CVE rose from a low baseline to a peak of 0.0212 on 2026-02-03 before receding, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for…

more

unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Directly enables remote unauthenticated exploitation of public-facing WordPress plugin (T1190); facilitates arbitrary code execution or data manipulation if POP chain present from other components (T1059).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29782Shared CWE-502
CVE-2026-42778Shared CWE-502
CVE-2025-68047Shared CWE-502
CVE-2026-22345Shared CWE-502
CVE-2024-28988Shared CWE-502
CVE-2026-47161Shared CWE-502
CVE-2024-9664Shared CWE-502
CVE-2026-24385Shared CWE-502
CVE-2026-27084Shared CWE-502
CVE-2025-42944Shared CWE-502

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly patches the deserialization vulnerability in the Export All Posts plugin via update beyond version 2.13, preventing PHP object injection.

prevent

Information input validation ensures untrusted data passed to the returnMetaValueAsCustomerInput function is checked before deserialization, blocking malicious PHP objects.

prevent

User-installed software restrictions prevent deployment of the vulnerable plugin or co-installed plugins/themes providing exploitable POP chains.

References