🔐 CVE Alert

CVE-2025-12733

HIGH 8.8

Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.

CWE CWE-94
Vendor wpallimport
Product wp all import – drag & drop import for csv, xml, excel & google sheets
Published Nov 13, 2025
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for wpallimport wp all import – drag & drop import for csv, xml, excel & google sheets

Be the first to know when new high vulnerabilities affecting wpallimport wp all import – drag & drop import for csv, xml, excel & google sheets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

wpallimport / WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets
0 ≤ 3.9.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/8475dd90-b47a-42b4-8e4e-44e8512e4fca?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-all-import/tags/3.9.6/helpers/functions.php#L79 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3393968%40wp-all-import&new=3393968%40wp-all-import&sfp_email=&sfph_mail=

Credits

tmrswrr