CVE-2025-5061

Name of the Vulnerable Software and Affected Versions WP Import Export Lite plugin for WordPress versions up to and including 3.9.29

Description The WP Import Export Lite plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation within the wpie parse upload data function. This allows authenticated attackers with Subscriber-level access or higher, and permissions granted by an Administrator, to upload arbitrary files to the affected server, potentially leading to remote code execution. The vulnerability was partially addressed in version 3.9.29.

Recommendations Versions prior to 3.9.29 should be updated. As a temporary workaround, restrict file upload permissions for users with Subscriber-level access and below.