CVE-2025-2332: PHP Object Injection Vulnerability in WordPress Export Plugin

Overview

A critical vulnerability has been identified in the WordPress plugin Export All Posts, Products, Orders, Refunds & Users, affecting all versions up to and including 2.13. Tracked as CVE-2025-2332, this flaw exposes sites to PHP Object Injection due to unsafe deserialization of user input within the returnMetaValueAsCustomerInput function.

Technical Details

The vulnerability stems from a lack of input validation when data is passed to the returnMetaValueAsCustomerInput function. Specifically, it deserializes untrusted user input, which creates a condition known as Deserialization of Untrusted Data (CWE-502).

This vulnerability can allow unauthenticated attackers to inject PHP objects into the application. Although the vulnerable plugin does not contain a known POP chain (Property-Oriented Programming chain), the impact becomes critical if another plugin or theme on the same site introduces such a chain. In such cases, an attacker could:

• Delete arbitrary files
• Access sensitive information
• Execute arbitrary code on the server

Severity and CVSS Score

According to CVSS v3.1, this vulnerability has been scored 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score indicates:

• Attack Vector (AV:N): Exploitable over the network
• Attack Complexity (AC:L): Low complexity required
• Privileges Required (PR:N): No authentication necessary
• User Interaction (UI:N): No user interaction needed
• Impact (C, I, A: H): High impact on confidentiality, integrity, and availability

Impact Analysis

By itself, CVE-2025-2332 cannot be exploited for arbitrary code execution due to the absence of a POP chain in the vulnerable plugin. However, in real-world environments where other plugins or themes introduce a POP chain, the potential damage becomes severe. This highlights the importance of defense-in-depth and avoiding unnecessary plugin installations.

Mitigation and Recommendations

• Update Immediately: Site administrators using versions ≤ 2.13 of this plugin should upgrade to a fixed version as soon as one is available.
• Audit Plugins and Themes: Remove or replace any plugins or themes that may introduce exploitable POP chains.
• Monitor Logs: Check for unexpected activity or unusual file changes.
• Use Application Firewalls: Tools like Wordfence can help detect and block such injection attempts.

References

• Wordfence Advisory
• Plugin Source Code
• Plugin Change Log

Credits

This vulnerability was responsibly disclosed by Craig Smith.