Description
The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The WP移行専用プラグイン for CPI plugin for WordPress allows unauthenticated users to upload arbitrary files because the Cpiwm_Import_Controller::import function lacks file type validation. This flaw meets CWE‑434 and can enable attackers to place malicious code on the server. If an attacker uploads a PHP script or other executable content, the web server could execute it, giving full control over the site.

Affected Systems

The vulnerability affects kddiwebcommunications' WP移行専用プラグイン for CPI plugin for all releases up to and including version 1.0.2. These instances are commonly deployed on WordPress installations where the import feature is enabled.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity. The EPSS score of less than 1% suggests a low yet non‑zero likelihood of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Because the upload endpoint is reachable without authentication, an attacker can directly exploit the flaw by uploading a malicious file and executing it on the server. The lack of an official patch keeps the risk high for any site still running the affected plugin version.

Generated by OpenCVE AI on April 22, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or upgrade the WP移行専用プラグイン for CPI to a version that removes the arbitrary file upload flaw.
  • If an upgrade is not immediately available, disable the import functionality or uninstall the plugin until a fix is released.
  • Enforce server‑side file‑type validation, restricting uploads to allowed MIME types and extensions, and store uploaded files outside the web‑root with execute permissions turned off.
  • Block execution of files in the upload directory via web‑server configuration (e.g., deny .php in .htaccess).

Generated by OpenCVE AI on April 22, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP移行専用プラグイン for CPI <= 1.0.2 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:42.118Z

Reserved: 2025-09-29T17:18:31.768Z

Link: CVE-2025-11170

cve-icon Vulnrichment

Updated: 2025-11-14T15:25:21.411Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:41.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses