Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1913— Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter

CVSS 7.2 · High EPSS 0.18% · P39
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-1913

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Product Import Export for WooCommerce 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Product Import Export for WooCommerce 2.5.0及之前版本存在代码问题漏洞,该漏洞源于form_data参数反序列化不可信输入导致PHP对象注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
webtoffeeProduct Import Export for WooCommerce – Import Export Product CSV Suite * ~ 2.5.0 -

II. Public POCs for CVE-2025-1913

#POC DescriptionSource LinkShenlong Link
1A PoC demonstrating CVE-2025-1913, showing how the plugin’s unsafe unserialize handling can lead to high-impact behavior in controlled environments. Contains a harmful payload for authorized testing only. Use strictly in isolated labs and for defensive research.https://github.com/S0haib518-KSA/CVE-2025-1913-PoCPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-1913

登录查看更多情报信息。

Same Patch Batch · webtoffee · 2025-03-26 · 4 CVEs total

CVE-2025-19127.6 HIGHProduct Import Export for WooCommerce <= 2.5.0 - Authenticated (Administrator+) Server-Sid
CVE-2025-17694.9 MEDIUMProduct Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Adm
CVE-2025-19112.7 LOWProduct Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Adm

IV. Related Vulnerabilities

Same product: Product Import Export for WooCommerce – Import Export Product CSV Suite
Same vendor: webtoffee
Same weakness: CWE-502

V. Comments for CVE-2025-1913

No comments yet

Leave a comment