Plataforma
wordpress
Componente
wp-all-import
Corrigido em
3.9.7
CVE-2025-12733 is a critical Remote Code Execution (RCE) vulnerability discovered in the WP All Import plugin for WordPress. This vulnerability allows authenticated attackers with import capabilities to inject and execute arbitrary PHP code on the server. The vulnerability affects versions 0.0.0 through 3.9.6 and has been resolved in version 4.0.0.
The impact of this vulnerability is severe. An attacker who can successfully exploit this flaw can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (user credentials, database information), and potentially pivot to other systems on the network. The use of eval() on unsanitized user input in the pmxi_if function within helpers/functions.php is the root cause, making import templates a potential attack vector. Successful exploitation could lead to a complete compromise of the web server and any data stored within it.
This vulnerability was publicly disclosed on 2025-11-13. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the plugin's popularity make it a likely target. The use of eval() in this context mirrors vulnerabilities seen in other PHP applications, increasing the likelihood of automated exploitation attempts. No KEV listing at the time of writing.
Websites using the WP All Import plugin, particularly those with multiple administrators or users with import capabilities, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise on one site could potentially lead to a compromise of others.
• wordpress / composer / npm:
grep -r 'pmxi_if' /var/www/html/wp-content/plugins/wp-all-import/• wordpress / composer / npm:
wp plugin list | grep 'wp-all-import'• wordpress / composer / npm:
wp plugin update wp-all-import --version=4.0.0• generic web: Check WordPress plugin directory for known malicious versions of WP All Import.
disclosure
Status do Exploit
EPSS
0.43% (percentil 62%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the WP All Import plugin to version 4.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting import capabilities to trusted administrators only. Implement a Web Application Firewall (WAF) with rules to block suspicious import requests containing potentially malicious code. Regularly review import templates for any unusual or unexpected code. Monitor WordPress logs for any signs of unauthorized code execution.
Atualizar para a versão 4.0.0 ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-12733 is a Remote Code Execution vulnerability in the WP All Import plugin for WordPress, allowing attackers to execute arbitrary PHP code.
You are affected if you are using WP All Import versions 0.0.0 through 3.9.6. Upgrade to version 4.0.0 or later to mitigate the risk.
Upgrade the WP All Import plugin to version 4.0.0 or later. If immediate upgrade is not possible, restrict import capabilities and implement WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WP All Import website and WordPress security announcements for the latest advisory and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.