Description
The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
Published: 2025-09-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Unsafe File Upload
Action: Immediate Patch
AI Analysis

Impact

The WP All Import plugin allows users to import XML, CSV, and Excel files into WordPress. The import function lacks file type validation in versions up to 3.9.3, enabling authenticated administrators to upload arbitrary files such as .phar archives. An attacker could use these uploads to execute code on the server, potentially compromising all sites that use the plugin.

Affected Systems

WordPress sites running the WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin, up to and including version 3.9.3.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a high level of severity. The EPSS score of less than 1% suggests low but non‑zero exploitation probability, and it is not yet listed in the CISA KEV catalog. Because the attack requires administrative authentication, the threat is limited to sites where an attacker has already gained such access. However, once privileged, the attacker can upload malicious files and potentially achieve remote code execution.

Generated by OpenCVE AI on April 21, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP All Import plugin to a version that includes the file type validation fix (at least 3.9.4 or later).
  • Configure the plugin settings or server file‑upload rules to block .phar and other dangerous file extensions if an immediate update is not possible.
  • If the plugin is not critical, consider deactivating or removing it until a secure version is available.

Generated by OpenCVE AI on April 21, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27522 The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpallimport
Wpallimport import Plugin
Vendors & Products Wordpress
Wordpress wordpress
Wpallimport
Wpallimport import Plugin

Wed, 10 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
Title Import any XML, CSV or Excel File to WordPress <= 3.9.3 - Authenticated (Admin+) Limited Unsafe File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpallimport Import Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:23.155Z

Reserved: 2025-09-04T17:50:53.706Z

Link: CVE-2025-10001

cve-icon Vulnrichment

Updated: 2025-09-10T15:43:02.543Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:41.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses