CVE-2025-10058 – WP Import Ultimate CSV XML Importer for WordPress Arbitrary File Deletion Vulnerability

Vulnerability

Patched

A vulnerability allowing arbitrary file deletion has been identified in the WP Import – Ultimate CSV XML Importer for WordPress plugin, affecting all versions through 7.27. The issue arises from inadequate file path validation in the 'upload_function()' method, which enables authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This vulnerability could easily lead to remote code execution if a critical file, such as 'wp-config.php', is deleted.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. Deleting certain files, like 'wp-config.php', could lead to remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'upload_function' via AJAX. The request must include FTP credentials and a file path that, when processed, bypasses the insufficient validation and leads to the deletion of a targeted file on the server.

Remediation

Users are advised to update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.28 or later.

Added: Sep 17, 2025, 6:17 AM

Updated: Sep 17, 2025, 6:17 AM

Affected Products

Smackcoders WP Import – Ultimate CSV XML Importer

Moderate fix1 remedy

cpe:2.3:a:smackcoders:wp_ultimate_csv_importer:*:*:*:*:wordpress:*:*

Moderate fix1 remedy

<= 7.27

CVSS Scores

volerion

9.4

CVSS 4.0

9.4

Critical

volerion

9.9

CVSS 3.1

9.9

Critical

Vendor

8.1

CVSS 3.1

8.1

High

Click a row to open the calculator.

References

https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200

Source CodeVendor

https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php

Source CodeVendor