{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2008", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-05T21:30:50.072Z", "datePublished": "2025-04-01T04:21:20.673Z", "dateUpdated": "2026-04-08T17:12:19.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:19.719Z"}, "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.19", "versionType": "semver"}, {"version": "7.20", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."}], "title": "Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a114faf9-cada-4132-abe3-c0137b66e276?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3266286/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-03-31T15:56:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T16:21:24.979946Z", "id": "CVE-2025-2008", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T16:21:35.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-01T16:21:24.979946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T16:21:30.402Z"}}], "cna": {"title": "Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "smackcoders", "product": "Import Export Suite for CSV and XML Datafeed", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-31T15:56:17.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a114faf9-cada-4132-abe3-c0137b66e276?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php"}], "descriptions": [{"lang": "en", "value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-01T04:21:20.673Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2008", "state": "PUBLISHED", "dateUpdated": "2025-04-01T16:21:35.775Z", "dateReserved": "2025-03-05T21:30:50.072Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-01T04:21:20.673Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."}, {"lang": "es", "value": "El complemento Import Export Suite para CSV y XML Datafeed de WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n import_single_post_as_csv() en todas las versiones hasta la 7.19 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-2008", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-01T05:15:47.320", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3266286/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a114faf9-cada-4132-abe3-c0137b66e276?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:34:44.855055+00:00", "value": {"mitigation_remediation": ["Update the WP Ultimate CSV Importer plugin to version 7.20.1 or later to remove the missing file\u2011type validation check.", "Limit the file types and sizes accepted by the import feature through plugin settings or server\u2011side MIME type checks, ensuring only safe CSV, XML, or Excel files are processed.", "Continuously monitor upload logs for anomalous activity and rotate or revoke credentials for users with elevated roles if suspicious behavior is detected."], "summary": {"action": "Apply Patch", "impact": "Remote code execution through arbitrary file upload"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the \"WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress\" plugin in any version up to and including 7.19 are affected. The flaw was inadvertently reintroduced in version 7.20, but was corrected again in 7.20.1. Sites using these versions and granting Subscriber access or higher to any user must consider the potential risk.", "description_and_impact": "The vulnerability is caused by a lack of file type validation in the import_single_post_as_csv() routine, allowing an authenticated user with a Subscriber role or higher to upload any file to the site\u2019s server. Once a file is stored, the attacker can potentially execute code on the server, creating a path to full compromise. This flaw maps to CWE\u2011434, an untrusted upload weakness with high confidentiality, integrity, and availability impact.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity with an estimated loss of confidentiality and integrity and a possibility of non\u2011availability. The EPSS score of 1% signals that while the exploitation probability is low, it is still plausible. The plug\u2011in is not listed in the CISA KEV catalog. The likely attack vector requires login credentials and relies on the website\u2019s permission hierarchy; a user with Subscriber or above can use the import feature to successfully upload a malicious file."}}}}, "created": "2026-04-21T21:45:25.840893+00:00", "updated": "2026-04-21T21:45:25.840912+00:00", "vendors": []}