Full Report
WP Ultimate CSV Importer flaws expose 20,000 websites to attacks enabling attackers to achieve full site compromise
Analysis Summary
# Vulnerability: Critical Flaws in WP Ultimate CSV Importer Allow File Upload/Deletion
## CVE Details
- CVE ID: CVE-2025-2008 (Arbitrary File Upload)
- CVSS Score: 8.8 (High)
- CWE: CWE-434 (Unrestricted Upload of File with Dangerous Type - Implied for CVE-2025-2008)
- CVE ID: CVE-2025-2007 (Arbitrary File Deletion)
- CVSS Score: 8.1 (High)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - Implied for CVE-2025-2007)
## Affected Systems
- Products: WP Ultimate CSV Importer plugin for WordPress (Developed by Smackcoders)
- Versions: Versions up to and including **7.19**
- Configurations: Requires **authenticated users** with subscriber-level access or higher.
## Vulnerability Description
Two severe vulnerabilities were discovered in the WP Ultimate CSV Importer plugin:
1. **Arbitrary File Upload (CVE-2025-2008):** The `import_single_post_as_csv()` function fails to implement proper file type validation. This allows an authenticated attacker to upload malicious PHP files, leading to potential Remote Code Execution (RCE) and full site compromise.
2. **Arbitrary File Deletion (CVE-2025-2007):** The `deleteImage()` function lacks sufficient validation of file paths. This allows an authenticated attacker to delete arbitrary files on the server, including critical files such as `wp-config.php`, which can force a site reset and enable the attacker to hijack the setup process.
## Exploitation
- Status: Not explicitly stated as being exploited in the wild, but the severity suggests high risk. **PoC available** (Implied by researcher reporting via Bug Bounty Program).
- Complexity: Likely **Low/Medium** due to the requirement only for authenticated, low-privilege access (Subscriber level).
- Attack Vector: **Network** (via authenticated application access).
## Impact
- Confidentiality: **High** (RCE can lead to data theft)
- Integrity: **High** (RCE and file deletion can lead to complete system compromise/destruction)
- Availability: **High** (Deletion of critical files like configuration/database linkage can take the site offline)
## Remediation
### Patches
The vendor (Smackcoders) released the following patched version:
- **Version 7.19.1**
### Workarounds
Administrators should immediately restrict access to the plugin functions to the highest necessary privilege level if immediate patching is impossible. Due to the severity (authenticated RCE/site destruction), immediate patching is strongly recommended over relying on workarounds.
## Detection
- **Indicators of Compromise (IOCs):**
* Unusual file uploads in plugin directories, particularly PHP files, originating from low-privileged users.
* System errors or unexpected site reset requests related to file modification or deletion activities.
- **Detection Methods and Tools:**
* Monitor WordPress access logs for POST requests targeting CSV importer functions associated with file operations (upload/delete).
* Web Application Firewalls (WAFs) configured to inspect parameters within requests targeting the plugin should be reviewed for bypasses.
* Security scanners focusing on WordPress plugins should detect the vulnerability signatures.
## References
- Vendor Advisory: Smackcoders advisory (implied via Wordfence reporting)
- Wordfence Advisory: See Wordfence advisory published around March 2025.
- Relevant links - defanged:
* infosecurity-magazine.com/news/wp-ultimate-csv-importer-flaws/