Description
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Published: 2025-04-01
Score: 8.8 High
EPSS: 1.2% Low
KEV: No
Impact: Remote code execution through arbitrary file upload
Action: Apply Patch
AI Analysis

Impact

The vulnerability is caused by a lack of file type validation in the import_single_post_as_csv() routine, allowing an authenticated user with a Subscriber role or higher to upload any file to the site’s server. Once a file is stored, the attacker can potentially execute code on the server, creating a path to full compromise. This flaw maps to CWE‑434, an untrusted upload weakness with high confidentiality, integrity, and availability impact.

Affected Systems

WordPress sites that use the "WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress" plugin in any version up to and including 7.19 are affected. The flaw was inadvertently reintroduced in version 7.20, but was corrected again in 7.20.1. Sites using these versions and granting Subscriber access or higher to any user must consider the potential risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity with an estimated loss of confidentiality and integrity and a possibility of non‑availability. The EPSS score of 1% signals that while the exploitation probability is low, it is still plausible. The plug‑in is not listed in the CISA KEV catalog. The likely attack vector requires login credentials and relies on the website’s permission hierarchy; a user with Subscriber or above can use the import feature to successfully upload a malicious file.

Generated by OpenCVE AI on April 21, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Ultimate CSV Importer plugin to version 7.20.1 or later to remove the missing file‑type validation check.
  • Limit the file types and sizes accepted by the import feature through plugin settings or server‑side MIME type checks, ensuring only safe CSV, XML, or Excel files are processed.
  • Continuously monitor upload logs for anomalous activity and rotate or revoke credentials for users with elevated roles if suspicious behavior is detected.

Generated by OpenCVE AI on April 21, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9115 The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
References

Tue, 01 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:19.719Z

Reserved: 2025-03-05T21:30:50.072Z

Link: CVE-2025-2008

cve-icon Vulnrichment

Updated: 2025-04-01T16:21:30.402Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T05:15:47.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses