Demo Importer Plus
Moderate fix1 remedy
cpe:2.3:a:kraftplugins:demo_importer_plus:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.0.9
Demo Importer Plus XML External Entity Injection Vulnerability Allowing Code Execution
Vulnerability
Patched
A vulnerability allowing XML External Entity (XXE) injection has been identified in the Demo Importer Plus plugin for WordPress, affecting all versions through 2.0.9. The issue arises from the SVG file upload feature, which can be exploited by authenticated attackers with Author-level access or higher. In vulnerable configurations, this XXE injection could lead to unauthorized code execution. Notably, this vulnerability only impacts sites running PHP versions prior to 8.0.
Impact
Exploitation of this vulnerability could result in unauthorized code execution on the affected WordPress site.
Reproduction
To reproduce this vulnerability, an authenticated user with Author-level access or higher can upload a crafted SVG file that exploits the XXE vulnerability. The uploaded file should be designed to trigger the XML External Entity injection when processed by the WordPress site.
Remediation
Users are advised to update the Demo Importer Plus plugin to version 2.0.10 or a newer patched version.
Added: Jan 17, 2026, 8:19 AM
Updated: Jan 17, 2026, 8:19 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
10.0exploitability
6.0remediation
7.7relevance
2.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.