Overview
CVE-2025-10058 is a significant vulnerability that affects the WP Import – Ultimate CSV XML Importer for WordPress plugin. This plugin, used by numerous WordPress sites for data import, suffers from a severe flaw that allows arbitrary file deletion on the server. This issue affects all plugin versions up to and including 7.27. The gravity of this vulnerability is heightened due to the potential for authenticated attackers, even those with minimal Subscriber-level access, to exploit it. If the right file is deleted, such as wp-config.php, this vulnerability could lead to remote code execution, making it an issue of paramount concern.
Vulnerability Summary
CVE ID: CVE-2025-10058
Severity: High (8.1 CVSS Score)
Attack Vector: Network
Privileges Required: Low (Subscriber-level access)
User Interaction: Required
Impact: System compromise, data leakage, potential for remote code execution
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
WP Import – Ultimate CSV XML Importer for WordPress | Up to and including 7.27
How the Exploit Works
The vulnerability arises from insufficient file path validation in the upload_function() function within the WP Import – Ultimate CSV XML Importer for WordPress plugin. An attacker with at least Subscriber-level access can manipulate the file path parameters to delete arbitrary files on the server. If a critical file such as wp-config.php, which contains sensitive database access details, is deleted, it could disrupt the site’s functionality and open doors for further attacks, including remote code execution.
Conceptual Example Code
Here is a conceptual example of how an attacker might exploit the vulnerability:
POST /wp-content/plugins/wp-import/upload_function.php HTTP/1.1
Host: targetsite.com
Content-Type: multipart/form-data; boundary=boundary
--boundary
Content-Disposition: form-data; name="file"; filename="../../../../../../wp-config.php"
Content-Type: application/octet-stream
--boundary--In this example, the attacker sends a POST request to the vulnerable upload_function.php, providing a relative path (`../../../../../../wp-config.php`) as the file name. This path leads to the deletion of the wp-config.php file, causing a severe disruption to the site and potentially paving the way for remote code execution.
Mitigation
Affected users should immediately apply the patch provided by the vendor. If the patch cannot be applied immediately, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation. Regularly updating software and plugins to their latest versions is also a recommended best practice to prevent exploitation.
