CVE Alert: CVE-2025-10001 – wpallimport – Import any XML, CSV or Excel File to WordPress
CVE-2025-10001
The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
Risk verdict
High risk, with potential for remote code execution if an authenticated administrator’s access is misused or credentials are compromised; no active exploitation signals detected in the data provided, but the flaw is impactful.
Why this matters
Allows upload of dangerous files due to lax validation, enabling an attacker with admin-level access to compromise server integrity, confidentiality and availability. In practice, this could enable web shells, data exfiltration or site defacement, with attacker goals aligned to persistence and control over the site.
Most likely attack path
Requires authenticated administrator access (high precondition) and leverages a straightforward file upload channel (network-based exposure, low complexity). No user interaction needed, and any uploaded unsafe file could be executed with high impact, potentially compromising the hosting environment within the affected scope.
Who is most exposed
Sites running the affected plugin with admin accounts are at risk, especially those granting multiple admins or exposing uploads to less-trusted users. WordPress environments with lax access controls or shared hosting are common exposure patterns.
Detection ideas
- Unexpected or new PHP/.phar file uploads in the uploads directory.
- New or modified PHP scripts with suspicious filenames or timestamps around upload endpoints.
- Webshell artifacts or unusual web requests targeting upload handlers.
- Anomalous admin activity: elevated privilege actions outside normal maintenance windows.
- Increased server-side execution attempts following uploads.
Mitigation and prioritisation
- Patch to the latest release or vendor-recommended version immediately; verify in staging first.
- If patching is not feasible, disable or restrict the plugin’s upload capability; apply least-privilege access controls for admin roles.
- Enforce strict server-side file type validation and whitelist safe extensions; block dangerous types (e.g., phar, php).
- Rotate admin credentials; enforce MFA; review admin account activity and access rights.
- Enable WAF rules and audit logging; set up alerting for upload anomalies.
- Treat as priority 1 only if KEV or EPSS signals indicate active exploitation; otherwise maintain high-priority in patch cycles.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
