{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10058", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-05T19:41:54.480Z", "datePublished": "2025-09-17T05:18:44.816Z", "dateUpdated": "2026-04-08T16:55:07.390Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:07.390Z"}, "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.27", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200"}, {"url": "https://plugins.trac.wordpress.org/changeset/3360611/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "timeline": [{"time": "2025-09-05T19:57:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-16T17:09:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T12:48:36.842834Z", "id": "CVE-2025-10058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T12:48:43.552Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-17T12:48:36.842834Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T12:48:40.350Z"}}], "cna": {"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.27"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-05T19:57:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-16T17:09:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200"}, {"url": "https://plugins.trac.wordpress.org/changeset/3360611/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:07.390Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10058", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:07.390Z", "dateReserved": "2025-09-05T19:41:54.480Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T05:18:44.816Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-10058", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T06:15:45.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3360611/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:53:46.407020+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Ultimate CSV Importer plugin to a version that contains the path validation fix (any release newer than 7.27).", "If upgrading is delayed, disable the FTP upload module or block access to uploadModules/FtpUpload.php via web server configuration to prevent file deletion attempts.", "Configure the server file system so that only privileged users have write/delete rights on site files, ensuring that even if the vulnerability were exploited, the damage would be limited."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects version 7.27 and earlier of the WP Ultimate CSV Importer plugin by smackcoders, an import tool for WordPress that handles CSV, XML, and Excel files.", "description_and_impact": "The plugin\u2019s upload_function() lacks proper file path validation, allowing an authenticated user with Subscriber-level access or higher to specify any file path and delete files on the server. The vulnerability is a classic CWE-73 path traversal flaw; deleting critical files such as wp-config.php can lead to full site compromise. The impact is loss of data integrity and availability, and it can enable remote code execution if the deleted file is essential for secure operation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation likelihood. The issue is not listed in CISA\u2019s KEV catalog. The likely attack vector requires authentication; a subscriber or higher role can trigger the delete function after logging into the WordPress dashboard. Successful exploitation requires that the targeted server files be writable and that the attacker knows a valid file path to delete."}}}}, "created": "2026-04-22T17:00:12.326478+00:00", "updated": "2026-04-22T17:00:12.326491+00:00", "vendors": []}