PT-2025-38115 · WordPress · Wp Import – Ultimate Csv Xml Importer For Wordpress
Arkadiusz Hydzik
·
Published
2025-09-17
·
Updated
2025-09-17
·
CVE-2025-10057
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WP Import – Ultimate CSV XML Importer for WordPress plugin versions prior to 7.29
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin is susceptible to Remote Code Execution due to the
write to customfile() function writing unfiltered PHP code to a file. Authenticated attackers with Subscriber-level access or higher can inject PHP code into the customFunction.php file, leading to potential remote code execution.Recommendations
Update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.29 or later.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Import – Ultimate Csv Xml Importer For Wordpress