WP Ultimate CSV Importer Flaws Expose 20,000 Websites to Attacks


Two high-risk security vulnerabilities in the WP Ultimate CSV Importer plugin for WordPress have been discovered by security researchers.

These flaws, potentially affecting over 20,000 websites, allow authenticated users with subscriber-level access or higher to upload arbitrary files and delete critical site files, enabling attackers to achieve complete site compromise.

The vulnerabilities, an arbitrary file upload and an arbitrary file deletion flaw, affect versions up to 7.19 of WP Ultimate CSV Importer. According to a new advisory by Wordfence, attackers exploiting these flaws can achieve remote code execution or force a site into a compromised setup state.

The arbitrary file upload vulnerability (CVE-2025-2008) has a CVSS score of 8.8. The flaw stems from the import_single_post_as_csv() function of the CSV Importer plugin, which lacks proper file type validation allowing attackers to upload malicious PHP files that can execute code remotely and potentially lead to full site takeover.

Meanwhile, the arbitrary file deletion flaw (CVE-2025-2007) has a CVSS score of 8.1. In this case, the deleteImage() function lacks sufficient file path validation, enabling attackers to delete arbitrary files, including wp-config.php, which forces a site reset and allows hijacking of the setup process.

Read more on attacks exploiting lack of proper file validation: Flaw in AI Plugin Exposes 50,000 WordPress Sites to Remote Attack

These vulnerabilities were reported through the Wordfence Bug Bounty Program by researcher “mikemyers.” Wordfence disclosed the vulnerabilities to the plugin’s developers, Smackcoders, on March 5 2025.

The vendor acknowledged the report on March 7, and a fully patched version, 7.19.1, was released on March 25 2025.

“We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Ultimate CSV Importer as soon as possible considering the critical nature of these vulnerabilities,” Wordfence said.

Given the severity of these security flaws, website administrators should verify that their installations are up to date.

Image credit: Primakov / Shutterstock.com



Source link

Leave a Comment