CVE Alert: CVE-2025-10058 - smackcoders - WP Import – Ultimate CSV XML Importer for WordPress

CVE-2025-10058

HIGHNo exploitation known

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS v3.1 (8.1)

Vendor

smackcoders

Product

WP Import – Ultimate CSV XML Importer for WordPress

Versions

* lte 7.27

CWE

CWE-73, CWE-73 External Control of File Name or Path

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Published

2025-09-17T05:18:44.816Z

Updated

2025-09-17T05:18:44.816Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve

https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200

https://plugins.trac.wordpress.org/changeset/3360611/

https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php

AI Summary Analysis

Risk verdict

Why this matters

Most likely attack path

Who is most exposed

Detection ideas

Logs show delete actions initiated by the plugin’s upload functionality, especially from authenticated Subscriber+ accounts.
Alerts for deletions of critical files (e.g., wp-config.php) or sudden config/permissions changes.
Anomalous or elevated file deletion activity from WP directories outside normal maintenance windows.
Unusual path traversal-like parameters in plugin upload requests.
Integrity monitoring alerts triggered by unexpected file removals.

Mitigation and prioritisation

Patch: upgrade to the fixed version of the plugin (or remove/disable if no fix is available); verify with the vendor’s advisories.
Access controls: enforce least privilege; restrict plugin functionality to admin-only where feasible.
Hardening: implement Web Application Firewall rules to block suspicious path validation attempts; tighten file-system permissions.
Monitoring: enable file integrity checks and real-time alerts for deletions of critical files; ensure reliable backups and tested restores.
Change management: apply in a controlled window with rollback; verify site functionality post-patch.
If KEV true or EPSS ≥ 0.5, treat as priority 1. (KEV/EPSS not indicated here.)

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-10058, OSINT, smackcoders, threatintel, wp-import-ultimate-csv-xml-importer-for-wordpress