Over 20,000 WordPress sites are impacted by a pair of high-severity flaws in the WP Ultimate CSV Importer plugin, which could be exploited to facilitate total site compromise for authenticated users with elevated privileges, reports Infosecurity Magazine.
More severe of the vulnerabilities is the arbitrary file upload bug, tracked as CVE-2025-2008, which arises from improper file type validation within one of the plugin's functions and could be leveraged to allow remote code execution and site hijacking, according to a Wordfence alert. On the other hand, abuse of the arbitrary file deletion issue, tracked as CVE-2025-2007, which originates from inadequate file path validation and could be utilized for setup process takeovers. Smackcoders, who developed the plugin, has already issued an update addressing both bugs. "We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Ultimate CSV Importer as soon as possible considering the critical nature of these vulnerabilities," said Wordfence.
