- Splunk launches inventory tool to simplify OpenTelemetry monitoring
- Finally, I found an AirTag alternative that's cheaper and lasts twice as long
- Nvidia’s Blackwell raises the bar with new MLPerf Inference V5.0 results
- I changed these 6 Samsung TV settings to drastically improve the image quality (and why they work)
- Apple Patches Critical Vulnerabilities in iOS 15 and 16
WP Ultimate CSV Importer Flaws Expose 20,000 Websites to Attacks
Two high-risk security vulnerabilities in the WP Ultimate CSV Importer plugin for WordPress have been discovered by security researchers.
These flaws, potentially affecting over 20,000 websites, allow authenticated users with subscriber-level access or higher to upload arbitrary files and delete critical site files, enabling attackers to achieve complete site compromise.
The vulnerabilities, an arbitrary file upload and an arbitrary file deletion flaw, affect versions up to 7.19 of WP Ultimate CSV Importer. According to a new advisory by Wordfence, attackers exploiting these flaws can achieve remote code execution or force a site into a compromised setup state.
The arbitrary file upload vulnerability (CVE-2025-2008) has a CVSS score of 8.8. The flaw stems from the import_single_post_as_csv() function of the CSV Importer plugin, which lacks proper file type validation allowing attackers to upload malicious PHP files that can execute code remotely and potentially lead to full site takeover.
Meanwhile, the arbitrary file deletion flaw (CVE-2025-2007) has a CVSS score of 8.1. In this case, the deleteImage() function lacks sufficient file path validation, enabling attackers to delete arbitrary files, including wp-config.php, which forces a site reset and allows hijacking of the setup process.
These vulnerabilities were reported through the Wordfence Bug Bounty Program by researcher “mikemyers.” Wordfence disclosed the vulnerabilities to the plugin’s developers, Smackcoders, on March 5 2025.
The vendor acknowledged the report on March 7, and a fully patched version, 7.19.1, was released on March 25 2025.
“We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Ultimate CSV Importer as soon as possible considering the critical nature of these vulnerabilities,” Wordfence said.
Given the severity of these security flaws, website administrators should verify that their installations are up to date.
Image credit: Primakov / Shutterstock.com
