cleantalk
Vulnerabilities and Security Researches

Import any XML or CSV File to WordPress, CVE-2025-12733

CVE, Research URL

CVE-2025-12733

Home page URL

Security reports for Import any XML or CSV File to WordPress

Application

Import any XML or CSV File to WordPress

Published on
Nov 13, 2025
Research Description
The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.
Affected versions
max 4.0.0.
Status
vulnerable
Previous vulnerability researches
Import any XML or CSV File to WordPress (CVE-2018-0547) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-2268) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-36386) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-3418) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-2711) , Jun 07, 2024
New vulnerability
WPGraphQL (CVE-2026-33290) , Apr 18, 2026
WPGraphQL (CVE-2026-27938) , Apr 18, 2026
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2026-1054) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5710) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5718) , Apr 18, 2026