Security researchers have recently uncovered two high-risk security vulnerabilities in the WP Ultimate CSV Importer plugin for WordPress, with the potential to impact over 20,000 websites. These vulnerabilities, when exploited by authenticated users with subscriber-level access or higher, allow for the uploading of arbitrary files and the deletion of critical site files. This level of access could enable attackers to completely compromise a site.
The vulnerabilities in question, an arbitrary file upload flaw and an arbitrary file deletion flaw, affect versions of WP Ultimate CSV Importer up to 7.19. According to a recent advisory by Wordfence, attackers leveraging these flaws could achieve remote code execution or manipulate a site into a compromised state.
The arbitrary file upload vulnerability (CVE-2025-2008) has been assigned a CVSS score of 8.8. The issue lies in the import_single_post_as_csv() function of the CSV Importer plugin, where there is a lack of proper file type validation. This oversight allows attackers to upload malicious PHP files that could execute code remotely, potentially paving the way for a full site takeover.
On the other hand, the arbitrary file deletion flaw (CVE-2025-2007) carries a CVSS score of 8.1. In this instance, the deleteImage() function does not have adequate file path validation, enabling attackers to delete various files, including critical ones like wp-config.php. This action could trigger a site reset and grant attackers the ability to hijack the setup process.
The vulnerabilities were originally reported through the Wordfence Bug Bounty Program by a researcher known as “mikemyers,” with Wordfence subsequently informing the plugin’s developers, Smackcoders, about the issues on March 5, 2025. The vendor acknowledged the report on March 7, and a fully patched version, 7.19.1, was released on March 25, 2025.
In light of the critical nature of these vulnerabilities, Wordfence emphasized the importance of WordPress users updating their sites to the latest patched version of WP Ultimate CSV Importer promptly. Given the severity of these security flaws, website administrators are strongly advised to ensure that their installations are up to date to mitigate any potential risks.
It is crucial for website owners to stay vigilant and proactive in addressing security vulnerabilities to safeguard their online platforms and protect against potential exploitation by malicious actors. By staying informed and promptly implementing necessary security updates, users can reduce the risk of falling victim to cybersecurity threats and maintain the integrity and security of their WordPress websites.