Recent security assessments have uncovered critical vulnerabilities in the WP Ultimate CSV Importer plugin, a widely used tool with over 20,000 active installations. These flaws pose significant risks, potentially allowing attackers to gain unauthorized control over affected WordPress sites.
Overview of the Vulnerabilities
The identified vulnerabilities are:
1. CVE-2025-2008: Arbitrary File Upload
This high-severity flaw (CVSS score: 8.8) permits authenticated users with at least subscriber-level access to upload malicious files, including executable PHP scripts. The issue arises from insufficient validation in the `import_single_post_as_csv()` function, enabling attackers to bypass file type restrictions and execute arbitrary code on the server. This could lead to a complete site compromise.
2. CVE-2025-2007: Arbitrary File Deletion
With a CVSS score of 8.1, this vulnerability allows authenticated users to delete critical files, such as `wp-config.php`, via the `deleteImage()` function. The flaw stems from inadequate path sanitization, enabling attackers to specify and delete arbitrary files. Removing essential files like `wp-config.php` can force the site into setup mode, potentially allowing attackers to reconfigure the site and gain administrative access.
Discovery and Reporting
Security researcher mikemyers identified these vulnerabilities and responsibly reported them through Wordfence’s Bug Bounty Program, earning bounties of $676 and $468 for the discoveries. Wordfence notified the plugin’s developer, Smackcoders, on March 5, 2025. In response, Smackcoders released version 7.19.1 to address these issues.
Potential Impact
Exploitation of these vulnerabilities could lead to:
– Remote Code Execution (RCE): Attackers could execute arbitrary code on the server, leading to full site control.
– Site Reset and Takeover: By deleting critical files, attackers could force the site into a setup state, allowing them to reconfigure the site and gain administrative privileges.
Recommendations for Site Administrators
To mitigate these risks, site administrators should:
– Update the Plugin: Immediately upgrade to WP Ultimate CSV Importer version 7.19.1 or later.
– Review User Permissions: Ensure that only trusted users have subscriber-level access or higher.
– Implement Security Measures: Utilize security plugins and firewalls to monitor and block malicious activities.
Conclusion
The discovery of these vulnerabilities underscores the importance of regular security assessments and prompt updates. By taking proactive measures, site administrators can protect their WordPress sites from potential exploits and maintain the integrity of their online presence.
