CVE Alert: CVE-2025-10040 – smackcoders – WP Import – Ultimate CSV XML Importer for WordPress
CVE-2025-10040
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘get_ftp_details’ AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
AI Summary Analysis
Risk verdict
High risk: unauthorised retrieval of FTP/SFTP credentials via the get_ftp_details AJAX action, usable by Subscriber+ authenticated users; patch promptly.
Why this matters
Exposed credentials grant access to external file stores and hosting assets, enabling data exfiltration or unauthorised updates to FTP/SFTP targets. In environments where Subscriber+ access is common (e.g., managed WordPress hosts or multi-user sites), attackers can operate with legitimate session privileges to harvest sensitive configuration details.
Most likely attack path
An authenticated user with Subscriber+ privileges triggers the vulnerable AJAX endpoint; due to missing capability checks, they obtain configured credentials. With those credentials, the attacker can access the FTP/SFTP server, potentially exfiltrating data or compromising other downstream systems, with no user interaction required beyond authentication.
Who is most exposed
Sites running this plugin on WordPress, especially on shared or multi-user hosting where Subscriber-level access exists or can be escalated; hosts that expose admin-ajax endpoints or have weaker separation of duties.
Detection ideas
- Log reviews for calls to action=get_ftp_details from authenticated sessions.
- Alerts on successful retrievals of credentials or anomalous spikes in FTP/SFTP activity post-auth.
- Correlate unusual credential-access events with recent plugin activity or updates.
- Monitor PHP processes or outbound connections to FTP/SFTP endpoints around login events.
Mitigation and prioritisation
- Upgrade to patched plugin version or remove/disable the vulnerable feature if patching isn’t feasible.
- Enforce least privilege: restrict Subscriber+ access to sensitive admin endpoints; disable the get_ftp_details action if possible.
- Rotate FTP/SFTP credentials and verify no lateral movement post-compromise.
- Implement WAF/endpoint controls to block or audit access to the AJAX action.
- Test in staging before redeploy; monitor for credential-recovery activity and incidents.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
