CVE-2025-1913: 
WordPress vulnerability analysis and mitigation

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 2.5.0. The vulnerability exists in the deserialization of untrusted input from the 'form_data' parameter. This issue was discovered and patched in version 2.5.1, released on March 25, 2025 (NVD).

The vulnerability allows authenticated attackers with Administrator-level access to inject PHP Objects through the deserialization of untrusted input. The issue stems from unsafe deserialization of the 'form_data' parameter. No known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, which limits the potential impact unless another plugin or theme containing a POP chain is installed. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

If a POP chain is present via an additional plugin or theme installed on the target system, this vulnerability could allow authenticated attackers to perform various malicious actions including deleting arbitrary files, retrieving sensitive data, or executing code depending on the available POP chain (NVD).

The vulnerability has been patched in version 2.5.1 of the plugin. Users should update to this version or later to mitigate the risk. The update includes security fixes for PHP Object Injection, Server-Side Request Forgery, Arbitrary File Deletion, and Directory Traversal vulnerabilities (WordPress Plugin).