Vulnerabilities

CVE-2025-14478 - Demo Importer Plus <= 2.0.9 - authenticated (author+) blind xml external entity ...

2026-01-17 0 views admin

CVE ID : CVE-2025-14478 Published : Jan. 17, 2026, 7:27 a.m. | 1 hour, 1 minute ago Description : The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2025-14478

Published

Jan. 17, 2026

Affected Product: WordPress

Impact: XXE

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-14478wordpress

CVE-2025-14478 - Demo Importer Plus <= 2.0.9 - authenticated (author+) blind xml external entity ...

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2025-15530 - Open5GS s11-handler.c assertion

CVE-2025-10484 - Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - authent...

CVE-2025-8615 - CubeWP <= 1.1.26 - authenticated (contributor+) stored cross-site scripting via c...

CVE-2025-14078 - PAYGENT for WooCommerce <= 2.4.6 - missing authorization to unauthenticated paym...

Trending

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

Tech: Data is the only moat

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

Tech: AWS European Sovereign Cloud

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3