Vulnerability
sysops

Critical security vulnerabilities discovered in a popular WordPress plugin have placed more than 20,000 websites at risk of complete site takeover. 

Security researchers identified two high-severity flaws in the WP Ultimate CSV Importer plugin that could allow even low-privileged users to upload malicious code or delete critical files on affected websites.

Significant Vulnerabilities Uncovered

CVE-2025-2008 (Arbitrary File Upload)

Wordfence reported that the high-severity vulnerability (CVSS 8.8) allows authenticated attackers with subscriber-level access to upload malicious files, including PHP scripts, via the plugin’s import_single_post_as_csv() function. 

The flaw stems from inadequate file type validation during CSV imports, enabling attackers to bypass restrictions and upload executable code. 

Successful exploitation grants remote code execution (RCE), potentially leading to full site compromise.

The vulnerable code lacked checks for allowed file extensions, permitting attackers to upload webshells like malicious.php to the server. 

Security researcher “mikemyers” discovered the flaw, earning a $676 bounty through Wordfence’s Bug Bounty Program.

CVE-2025-2007 (Arbitrary File Deletion)

Rated CVSS 8.1, this vulnerability enables authenticated attackers to delete critical files, such as wp-config.php, via the deleteImage() function. 

Insufficient path sanitization allows attackers to specify arbitrary file paths for deletion, including core WordPress files. 

Deleting wp-config.php forces the site into setup mode, which attackers can hijack to reconfigure the database and gain administrative access. Mikemyers also reported the flaw and received a $468 bounty. 

CVEsAffected ProductsImpactExploit PrerequisitesCVSS 3.1 ScoreCVE-2025-2008WP Ultimate CSV Importer plugin (versions ≤ 7.19)Remote code execution (RCE)Authenticated user with subscriber-level access or higher8.8 (High)CVE-2025-2007WP Ultimate CSV Importer plugin (versions ≤ 7.19)Arbitrary file deletion leading to site resetAuthenticated user with subscriber-level access or higher8.1 (High)

Exploitation and Impact

These vulnerabilities create a serious attack vector for malicious actors. With subscriber-level access, attackers can upload webshells to execute arbitrary code on the server or delete critical files like wp-config.php. 

Deleting wp-config.php forces the site into a setup state, potentially allowing attackers to redirect the site to a database under their control.

The developer, Smackcoders, released version 7.19.1 to patch these vulnerabilities after Wordfence notified them on March 5th, 2025. 

Site administrators running this plugin are strongly urged to update the patched version immediately.

This security incident highlights the importance of maintaining updated WordPress plugins and implementing layered security measures. 

The widespread use of the affected plugin, with over 20,000 active installations, makes this a significant security event for the WordPress community. Site administrators must immediately pay attention to prevent potential exploits.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free

Related Posts

Three vulnerabilities associated with CSS injection, file upload, and remote code execution have been discovered in the SAP Customer Experience…

Vulnerability exploits are the third most common way that cybercriminals gain access to target organizations, surpassed only by credential stealing…

Attackers are actively exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, which is tracked as CVE-2024-27348. The…