WordPress Plugin Vulnerabilities

WP Import – Ultimate CSV XML Importer for WordPress < 7.28 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.28

References

CVE
CVE-2025-10040
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
b79dcd16-92ce-4bb2-bd03-5d371ff8e1f4

Timeline

Publicly Published
2025-09-09 (about 8 months ago)
Added
2025-09-09 (about 8 months ago)
Last Updated
2025-09-10 (about 8 months ago)

Other

Published
Title
Published
2026-02-06
Title
myCred < 2.9.7.4 - Missing Authorization
Published
2025-04-01
Title
Review Manager <= 2.5.0 - Missing Authorization
Published
2025-04-04
Title
Simple Website Logo <= 1.1 - Missing Authorization
Published
2024-12-02
Title
WP Mailster < 1.8.17.0 - Missing Authorization
Published
2024-08-07
Title
Orchid Store < 1.5.7 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation