Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-09-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion leading to potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The plugin’s upload_function() lacks proper file path validation, allowing an authenticated user with Subscriber-level access or higher to specify any file path and delete files on the server. The vulnerability is a classic CWE-73 path traversal flaw; deleting critical files such as wp-config.php can lead to full site compromise. The impact is loss of data integrity and availability, and it can enable remote code execution if the deleted file is essential for secure operation.

Affected Systems

The vulnerability affects version 7.27 and earlier of the WP Ultimate CSV Importer plugin by smackcoders, an import tool for WordPress that handles CSV, XML, and Excel files.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation likelihood. The issue is not listed in CISA’s KEV catalog. The likely attack vector requires authentication; a subscriber or higher role can trigger the delete function after logging into the WordPress dashboard. Successful exploitation requires that the targeted server files be writable and that the attacker knows a valid file path to delete.

Generated by OpenCVE AI on April 22, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Ultimate CSV Importer plugin to a version that contains the path validation fix (any release newer than 7.27).
  • If upgrading is delayed, disable the FTP upload module or block access to uploadModules/FtpUpload.php via web server configuration to prevent file deletion attempts.
  • Configure the server file system so that only privileged users have write/delete rights on site files, ensuring that even if the vulnerability were exploited, the damage would be limited.

Generated by OpenCVE AI on April 22, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29689 The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 05:30:00 +0000

Type Values Removed Values Added
Description The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:07.390Z

Reserved: 2025-09-05T19:41:54.480Z

Link: CVE-2025-10058

cve-icon Vulnrichment

Updated: 2025-09-17T12:48:40.350Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T06:15:45.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses