Import any XML, CSV or Excel File to WordPress < 3.9.4 – Admin+ Limited Unsafe File Upload | CVE 2025-10001 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 3.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb03aeb8-32ab-4962-bc95-b10fb7bd7fcf

Miscellaneous

Original Researcher

Nguyen Quang Truong (Roll)

Verified

No

WPVDB ID

011e3d08-6e1c-43b5-a41f-25e4d71542a6

Timeline

Publicly Published

2025-09-09 (about 6 months ago)

Added

2025-09-09 (about 6 months ago)

Last Updated

2025-09-09 (about 6 months ago)

Other

Published

Title

Published

2021-11-16

Title

Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload

Published

2024-05-28

Title

WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.5.0 - Admin+ Arbitrary File Upload

Published

2024-04-25

Title

Product Addons & Fields for WooCommerce < 32.0.19 - Unauthenticated Arbitrary File Upload via ppom_upload_file

Published

2025-03-11

Title

ThemeEgg ToolKit <= 1.2.9 - Authenticated (Administrator+) Arbitrary File Upload

Published

2025-06-09

Title

Abandoned Cart Pro for WooCommerce < 9.17.0 - Authenticated (Subscriber+) Arbitrary File Upload