Platform
wordpress
Component
wp-all-import
Fixed in
3.9.7
CVE-2025-12733 is a critical Remote Code Execution (RCE) vulnerability discovered in the WP All Import plugin for WordPress. This vulnerability allows authenticated attackers with import capabilities to inject and execute arbitrary PHP code on the server. The vulnerability affects versions 0.0.0 through 3.9.6 and has been resolved in version 4.0.0.
The impact of this vulnerability is severe. An attacker who can successfully exploit this flaw can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (user credentials, database information), and potentially pivot to other systems on the network. The use of eval() on unsanitized user input in the pmxi_if function within helpers/functions.php is the root cause, making import templates a potential attack vector. Successful exploitation could lead to a complete compromise of the web server and any data stored within it.
This vulnerability was publicly disclosed on 2025-11-13. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the plugin's popularity make it a likely target. The use of eval() in this context mirrors vulnerabilities seen in other PHP applications, increasing the likelihood of automated exploitation attempts. No KEV listing at the time of writing.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the WP All Import plugin to version 4.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting import capabilities to trusted administrators only. Implement a Web Application Firewall (WAF) with rules to block suspicious import requests containing potentially malicious code. Regularly review import templates for any unusual or unexpected code. Monitor WordPress logs for any signs of unauthorized code execution.
Update to version 4.0.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12733 is a Remote Code Execution vulnerability in the WP All Import plugin for WordPress, allowing attackers to execute arbitrary PHP code.
You are affected if you are using WP All Import versions 0.0.0 through 3.9.6. Upgrade to version 4.0.0 or later to mitigate the risk.
Upgrade the WP All Import plugin to version 4.0.0 or later. If immediate upgrade is not possible, restrict import capabilities and implement WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WP All Import website and WordPress security announcements for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.