Introduction
Two critical security vulnerabilities have been discovered in the WP Ultimate CSV Importer plugin for WordPress [2] [5], potentially affecting up to 20000 websites [5]. These vulnerabilities, identified as CVE-2025-2007 and CVE-2025-2008 [1], pose significant risks, including remote code execution and site compromise.
Description
Two high-risk security vulnerabilities have been identified in the WP Ultimate CSV Importer plugin for WordPress [2] [5], designated as CVE-2025-2007 and CVE-2025-2008 [1], affecting versions up to 7.19 and potentially exposing approximately 20000 websites to attacks.
The first vulnerability, CVE-2025-2008 [1] [2] [3] [4] [5], is an arbitrary file upload flaw with a CVSS score of 8.8 [5], arising from the importsinglepostascsv() function’s lack of proper file type validation [2] [5]. This allows authenticated users with subscriber-level access or higher to upload malicious PHP files [2] [5], enabling remote code execution and potential full site compromise [5].
The second vulnerability, CVE-2025-2007 [1] [2] [3] [4] [5], is an arbitrary file deletion flaw with a CVSS score of 8.1 [2] [5], resulting from insufficient file path validation in the deleteImage() function [2] [5]. This flaw permits attackers to delete critical files [5], such as wp-config.php [5], leading to site resets and hijacking of the setup process [5].
These vulnerabilities were reported by researcher “mikemyers” through the Wordfence Bug Bounty Program [2], with the issues disclosed to the plugin’s developers, Smackcoders [2], on March 5, 2025 [2], and acknowledged on March 7 [2]. A patched version, 7.19.1 [1] [2], was released on March 25, 2025 [2], which addresses these vulnerabilities [1].
Conclusion
To mitigate these risks [1], website administrators are urged to ensure that version 7.19.1 is installed promptly. Although there have been no reported instances of exploitation to date [1], the potential impact of these vulnerabilities underscores the importance of timely updates and vigilant security practices. Future implications include the need for ongoing monitoring and prompt response to emerging threats to maintain website integrity and security.
References
[1] https://www.heise.de/en/news/Websites-can-be-compromised-Gaps-in-WordPress-plug-in-WP-Ultimate-CSV-Importer-10336080.html
[2] https://ciso2ciso.com/wp-ultimate-csv-importer-flaws-expose-20000-websites-to-attacks-source-www-infosecurity-magazine-com/
[3] https://www.heise.de/news/Websites-kompromittierbar-Luecken-in-WordPress-Plug-in-WP-Ultimate-CSV-Importer-10335977.html
[4] https://feedly.com/cve/CVE-2025-2008
[5] https://www.infosecurity-magazine.com/news/wp-ultimate-csv-importer-flaws/
