CVE-2025-34083

Name of the Vulnerable Software and Affected Versions: WordPress AIT CSV Import/Export plugin versions ≤ 3.0.3

Description: The issue allows for an unrestricted file upload, where an attacker can upload arbitrary files, including malicious PHP code, to the server via a multipart/form-data POST request to the "upload-handler.php" endpoint. This endpoint lacks authentication and content-type validation, making it possible to upload malicious files directly to the server. Even if the upload results in a CSV parsing error, the malicious file remains saved and executable under wp-content/uploads/. Notably, the plugin does not need to be active for the exploitation to succeed.

Recommendations: For WordPress AIT CSV Import/Export plugin versions ≤ 3.0.3, update to a version greater than 3.0.3 to resolve the issue. As a temporary workaround, consider disabling the upload-handler.php endpoint until a patch is available. Restrict access to the wp-content/uploads/ directory to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.