WordPress Plugin Vulnerabilities

WP Import – Ultimate CSV XML Importer for WordPress < 7.28 - Authenticated (Subscriber+) Arbitrary File Deletion

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.28

References

CVE
CVE-2025-10058
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
d7ef6edf-c094-457d-9b78-fa74cef98f44

Timeline

Publicly Published
2025-09-16 (about 7 months ago)
Added
2025-09-16 (about 7 months ago)
Last Updated
2025-09-17 (about 7 months ago)

Other

Published
Title
Published
2025-07-08
Title
SureForms < 1.7.4 - Unauthenticated Arbitrary File Deletion
Published
2025-04-07
Title
Simple WP Events < 1.9.0 - Unauthenticated Arbitrary File Deletion
Published
2024-11-11
Title
Multiple Page Generator Plugin – MPG < 4.0.3 - Authenticated (Editor+) Directory Traversal to Limited File Deletion
Published
2026-05-13
Title
Motors – Car Dealer, Classifieds & Listing < 1.4.108 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter
Published
2026-04-21
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters