Description
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-08-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Upload
Action: Patch Now
AI Analysis

Impact

The vulnerability exists in the file upload handling of the plugin, specifically the 'wpie_tempalte_import' function. By omitting file type validation, an attacker who is logged in at the Subscriber level or higher can upload any file to the server. If the uploaded file is crafted to be executable—such as a PHP script—it can lead to remote code execution, granting the attacker full control over the site. The weakness involves improper restriction of file uploads, identified as CWE-434.

Affected Systems

Any WordPress site running the WP Import Export Lite plugin version 3.9.28 or earlier is impacted. The plugin is distributed by vjinfotech and integrates into WordPress installations via the WordPress plugin framework. Only sites where users have Subscriber-level access or higher, and where administrators have granted upload permissions, are at risk.

Risk and Exploitability

The CVSS score of 7.5 places this flaw in the high severity range, indicating significant potential damage. The EPSS score of less than 1% suggests a low but not negligible probability of exploitation at the time of assessment. The vulnerability is not currently listed in the CISA KEV catalog, which may reduce urgency but does not eliminate the risk. Attackers need legitimate authenticated credentials with sufficient access, but once those exist, the upload path can be used to place malicious files that may be executed if the server's file permissions or PHP settings allow it.

Generated by OpenCVE AI on April 22, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Import Export Lite plugin to the latest version where file type validation is enforced; the vendor recommends removing the vulnerable function and adding MIME type checks.
  • If an update is not available immediately, restrict the upload directory by setting restrictive file permissions (e.g., 644) and disabling execution of files in that directory via .htaccess or web server configuration.
  • Consider temporarily disabling the import/export feature for non-administrative users or implementing a whitelist of allowed file types to prevent indiscriminate uploads.

Generated by OpenCVE AI on April 22, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23607 The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Tue, 12 Aug 2025 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vjinfotech:wp_import_export_lite:*:*:*:*:*:wordpress:*:*

Tue, 05 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vjinfotech
Vjinfotech wp Import Export Lite
Wordpress
Wordpress wordpress
Vendors & Products Vjinfotech
Vjinfotech wp Import Export Lite
Wordpress
Wordpress wordpress

Tue, 05 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 Aug 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Vjinfotech Wp Import Export Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:38.809Z

Reserved: 2025-06-17T17:24:19.547Z

Link: CVE-2025-6207

cve-icon Vulnrichment

Updated: 2025-08-05T15:52:31.308Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-05T08:15:26.800

Modified: 2025-08-12T16:29:41.927

Link: CVE-2025-6207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses