20,000 WordPress Sites at Risk of File Upload & Deletion Exploits

A critical security alert has been issued to WordPress site administrators following the discovery of two high-severity vulnerabilities in the “WP Ultimate CSV Importer” plugin.

With over 20,000 active installations, the plugin’s flaws pose a significant risk to affected websites, potentially leading to complete site takeovers by attackers.

CVE Identified: File Upload and Deletion Exploits

The vulnerabilities, tracked as CVE-2025-2008 and CVE-2025-2007, were responsibly disclosed in March 2025 through the Wordfence Bug Bounty Program by researcher “mikemyers.” These include:

1. CVE-2025-2008: Arbitrary File Upload
   The plugin’s import functionality lacked proper file type validation, allowing authenticated attackers with subscriber-level access or higher to upload arbitrary files, including malicious PHP scripts. The uploaded code could then be executed to achieve remote server control.
2. CVE-2025-2007: Arbitrary File Deletion
   An error in the plugin’s file deletion function enabled attackers to delete any file on the server, such as the critical wp-config.php file. Deleting this file forces the site into a setup state, potentially allowing attackers to redirect the site to a database under their control for further exploitation.

Both vulnerabilities received high CVSS scores of 8.8 and 8.1, respectively, reflecting the serious risk they pose.

Details of Exploits

Arbitrary File Upload Vulnerability

The file upload issue arises from the plugin’s import_single_post_as_csv() function, which failed to validate file types and extensions.

Attackers could exploit this by uploading malicious files to WordPress’ default uploads directory. Once uploaded, these files could trigger remote code execution, enabling full site compromises.

Arbitrary File Deletion Vulnerability

The deletion vulnerability resides in the deleteImage() function, which improperly sanitizes file paths. This allowed attackers to specify and delete any file on the server.

For instance, removing the wp-config.php file could lead to attackers hijacking the site during reconfiguration.

Upon notification of the vulnerabilities on March 5, 2025, the plugin developer Smackcoders acted promptly. Following collaboration with the Wordfence team, a patched version (7.19.1) was released on March 25, 2025.

Wordfence users with active security plugins have been protected since the vulnerabilities’ disclosure, but widespread updates remain critical.

All users of the WP Ultimate CSV Importer plugin are urged to immediately update to version 7.19.1 or higher.

Administrators should ensure their sites are not running vulnerable versions, as these exploits could lead to devastating outcomes ranging from data breaches to site takeovers.

Additionally, WordPress administrators are encouraged to use robust security tools, such as the Wordfence firewall, which includes protection against such exploits.

The discovery of these vulnerabilities highlights the ongoing need for vigilance in maintaining WordPress site security.

While the vendor’s swift response resulted in a timely patch, the task now falls to users to deploy this update and safeguard their sites.

If you or someone you know uses the WP Ultimate CSV Importer plugin, share this advisory to ensure widespread awareness and action.

Cybersecurity begins with proactive measures—and keeping software updated is a vital step in protecting digital assets.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!