Description
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.
Published: 2025-08-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WP Import Export Lite plugin for WordPress contains a flaw in the wpie_parse_upload_data function that fails to validate the MIME type of uploaded files. The absence of this validation allows authenticated users at the Subscriber level or higher, with any privileges granted by an Administrator, to upload arbitrary files onto the site’s server. Because the plugin does not restrict the types of files that can be uploaded, an attacker could place scripts or executable code in these files, potentially leading to remote code execution on the server. The vulnerability was only partially addressed in version 3.9.29, leaving affected installations still at risk.

Affected Systems

WordPress sites that have installed the vjinfotech WP Import Export Lite plugin version 3.9.29 or earlier. Any subscribers who have been granted permission by an Administrator can act on the vulnerability. Sites that run the plugin without updates are therefore exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% shows the likelihood of exploitation is currently low. However, the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access, but an attacker who can elevate a subscriber account or trick an administrator into approving the upload can exploit this flaw. Once a malicious file is uploaded, the potential for remote code execution poses a significant threat to confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 21, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Import Export Lite to version 3.9.30 or newer
  • If version upgrade is not feasible, remove or disable the plugin entirely to prevent unauthorized uploads
  • Configure WordPress to allow only approved MIME types and file extensions, and restrict upload capabilities to administrators

Generated by OpenCVE AI on April 21, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23606 The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.
History

Wed, 13 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vjinfotech:wp_import_export_lite:*:*:*:*:*:wordpress:*:*

Tue, 05 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vjinfotech
Vjinfotech wp Import Export Lite
Wordpress
Wordpress wordpress
Vendors & Products Vjinfotech
Vjinfotech wp Import Export Lite
Wordpress
Wordpress wordpress

Tue, 05 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 Aug 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.
Title WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Vjinfotech Wp Import Export Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:31.868Z

Reserved: 2025-05-21T15:27:22.549Z

Link: CVE-2025-5061

cve-icon Vulnrichment

Updated: 2025-08-05T15:19:11.995Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-05T08:15:26.603

Modified: 2025-08-13T19:01:34.893

Link: CVE-2025-5061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses