Import Export Suite for CSV and XML Datafeed < 7.19.1 – Subscriber+ Arbitrary File Deletion | CVE 2025-2007 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

wp-ultimate-csv-importer

Fixed in 7.19.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3923c732-80b5-4a04-80dd-b4d5b5e5567d

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

6d50b37c-fa24-47e2-99ad-4a09f3dfbb98

Timeline

Publicly Published

2025-03-25 (about 1 year ago)

Added

2025-04-01 (about 1 year ago)

Last Updated

2025-04-01 (about 1 year ago)

Other

Published

Title

Published

2025-07-08

Title

SureForms < 1.7.4 - Unauthenticated Arbitrary File Deletion

Published

2025-09-10

Title

Propovoice < 1.7.7 - Unauthenticated Arbitrary File Read

Published

2025-07-06

Title

WP Pipes <= 1.4.3 - Unauthenticated Arbitrary File Deletion

Published

2025-05-21

Title

KBx Pro Ultimate < 8.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-07-14

Title

Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.7 - Missing Authorization to Unauthenticated Arbitrary File Deletion