平台
wordpress
组件
wp-all-import
修复版本
3.9.7
CVE-2025-12733 is a critical Remote Code Execution (RCE) vulnerability discovered in the WP All Import plugin for WordPress. This vulnerability allows authenticated attackers with import capabilities to inject and execute arbitrary PHP code on the server. The vulnerability affects versions 0.0.0 through 3.9.6 and has been resolved in version 4.0.0.
The impact of this vulnerability is severe. An attacker who can successfully exploit this flaw can gain complete control over the WordPress server. This includes the ability to modify website content, install malicious software, steal sensitive data (user credentials, database information), and potentially pivot to other systems on the network. The use of eval() on unsanitized user input in the pmxi_if function within helpers/functions.php is the root cause, making import templates a potential attack vector. Successful exploitation could lead to a complete compromise of the web server and any data stored within it.
This vulnerability was publicly disclosed on 2025-11-13. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the plugin's popularity make it a likely target. The use of eval() in this context mirrors vulnerabilities seen in other PHP applications, increasing the likelihood of automated exploitation attempts. No KEV listing at the time of writing.
Websites using the WP All Import plugin, particularly those with multiple administrators or users with import capabilities, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise on one site could potentially lead to a compromise of others.
• wordpress / composer / npm:
grep -r 'pmxi_if' /var/www/html/wp-content/plugins/wp-all-import/• wordpress / composer / npm:
wp plugin list | grep 'wp-all-import'• wordpress / composer / npm:
wp plugin update wp-all-import --version=4.0.0• generic web: Check WordPress plugin directory for known malicious versions of WP All Import.
disclosure
漏洞利用状态
EPSS
0.43% (62% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the WP All Import plugin to version 4.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting import capabilities to trusted administrators only. Implement a Web Application Firewall (WAF) with rules to block suspicious import requests containing potentially malicious code. Regularly review import templates for any unusual or unexpected code. Monitor WordPress logs for any signs of unauthorized code execution.
更新到 4.0.0 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12733 is a Remote Code Execution vulnerability in the WP All Import plugin for WordPress, allowing attackers to execute arbitrary PHP code.
You are affected if you are using WP All Import versions 0.0.0 through 3.9.6. Upgrade to version 4.0.0 or later to mitigate the risk.
Upgrade the WP All Import plugin to version 4.0.0 or later. If immediate upgrade is not possible, restrict import capabilities and implement WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official WP All Import website and WordPress security announcements for the latest advisory and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。