CVE Alert: CVE-2025-10057 – smackcoders – WP Import – Ultimate CSV XML Importer for WordPress
CVE-2025-10057
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
AI Summary Analysis
Risk verdict
High risk: authenticated remote code execution via the affected plugin, requiring Subscriber+ access; patch urgently.
Why this matters
The vulnerability allows an attacker with a valid WordPress account to inject PHP and gain full control over the site. In practice, this can enable data exfiltration, defacement, or persistence within the hosting environment, with potential impact across all sites sharing the vulnerable plugin.
Most likely attack path
Exploitation requires at least Subscriber-level privileges, after which an attacker can trigger code injection through the plugin’s write_to_customfile path. The CVSS signals indicate network-based exploitation with low complexity and no user interaction, leading to full confidentiality, integrity, and availability impacts. Movement beyond the compromised WordPress instance depends on host configuration and extensibility of the injected code.
Who is most exposed
Sites running the WP Import – Ultimate CSV XML Importer for WordPress plugin, especially in shared or poorly hardened WordPress deployments where content authors/editors (Subscriber+) have meaningful access, are most at risk.
Detection ideas
- Unauthorised or unusual PHP files appearing in plugin directories (e.g., new customFunction.php).
- New or modified files in wp-content areas tied to imports or custom scripts.
- PHP code execution events or web requests triggering unexpected outcomes in import endpoints.
- Logs showing authenticated users performing atypical file writes or import operations.
- Anomalous activity from the import-related endpoints or unusual post-auth activity from Subscriber accounts.
Mitigation and prioritisation
- Patch: update the plugin to the latest fixed release or remove the plugin if patching isn’t feasible.
- Access controls: restrict Subscriber+ privileges; enforce least privilege; consider disabling the plugin for non-admin users.
- WAF/IPS: implement rules to block suspicious file writes and PHP code injection attempts via plugin endpoints.
- Monitoring: enable file integrity monitoring on plugin directories; alert on new PHP files or unexpected imports.
- Change management: test patches in staging, verify site integrity, and communicate interim mitigations to content teams.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
