Description
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Published: 2025-04-01
Score: 8.1 High
EPSS: 4.9% Low
KEV: No
Impact: Arbitrary file deletion with potential remote code execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in inadequate file path validation in the deleteImage() routine, allowing an attacker who is authenticated with Subscriber-level permissions or higher to instruct the plugin to delete any file on the server. This flaw permits direct file system manipulation, which, when used to delete critical configuration files such as wp-config.php, can lead to remote code execution or other severe compromises. The weakness is a classic path traversal problem identified by CWE‑23.

Affected Systems

WordPress sites running the WP Ultimate CSV Importer plugin from smackcoders. All deployments using version 7.19 or earlier, as well as version 7.20 where the flaw was reintroduced, are affected until the fix releases in 7.20.1. Upgrades to 7.20.1 or later eliminate the issue.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, and the EPSS score of 5% indicates a moderate probability of exploitation. Because the attack requires only subscriber‑level credentials—common in many sites—the risk is significant for sites with widespread Subscriber roles. The flaw is not listed in the CISA KEV catalog, but the potential for remote code execution makes it a priority to remediate before exploitation occurs. The attack vector is likely web‑based, with an authenticated user submitting a crafted request to initiate the deleteImage() action. No special conditions beyond Subscriber privileges are indicated by the data.

Generated by OpenCVE AI on April 21, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Ultimate CSV Importer plugin to version 7.20.1 or later to apply the fixed file‑path validation logic
  • Restrict the deleteImage capability in the WordPress role settings so that only administrators can delete files via the plugin
  • If an immediate upgrade is not possible, disable or remove the deleteImage feature from the plugin files or use a security plugin to block file deletion endpoints for non‑admin users

Generated by OpenCVE AI on April 21, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9114 The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
References

Tue, 01 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:40.111Z

Reserved: 2025-03-05T21:29:34.461Z

Link: CVE-2025-2007

cve-icon Vulnrichment

Updated: 2025-04-01T16:34:34.500Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T05:15:47.110

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses