CVE-2025-14478
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-611
Restricción incorrecta de referencia a entidad externa XML (XXE)
Fecha de publicación:
17/01/2026
Última modificación:
17/01/2026
Descripción
*** Pendiente de traducción *** The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88
- https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88
- https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve