The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to 2.0.6. The flaw arises from insufficient file type validation, which allows double‑extension files to bypass sanitization while being accepted as a valid WXR file. Authenticated attackers with author or higher privileges can upload arbitrary files to the site’s server, potentially enabling remote code execution. This is a classic CWE‑434 file upload vulnerability that threatens confidentiality, integrity, and availability of the affected WordPress environment.

Kraftplugins’ Demo Importer Plus 2.0.6 and earlier. The vulnerability affects all WordPress sites that have the plugin installed at or below the specified version; no other products are affected. Sites must verify the installed plugin version and ensure it is not within the vulnerable range.

The flaw carries a CVSS base score of 8.8, classifying it as high severity. The EPSS score of <1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, legitimate authors or higher role users can exploit the upload bypass to place malicious files on the server, making the risk significant for sites where authors can upload files. Attackers would need user credentials and the author capability; the path requires no additional privileges beyond those granted by the role. Given the severity and the potential for RCE, the vulnerability represents a serious threat if an attacker can gain such credentials or trick a legitimate user into uploading a malicious payload.