CVE-2025-10057 HIGH

CVE-2025-10057: WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection

Vendor Smackcoders
Product WP Import – Ultimate CSV XML Importer for WordPress
Weakness CWE-94 · Code injection
Published September 17, 2025
Last update September 17, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

The WP Import plugin for WordPress versions 7.20 through 7.28 contains a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker with a basic user account can inject malicious code through the import functionality, gaining full control over the site's data and operations. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site and access or modify all data.

Potential impact on your site

04Site Impact

Complete site compromise: data theft, malware injection, or total loss of control.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege WordPress user account (e.g., subscriber or contributor).

Key dates

06Disclosure timeline

September 17, 2025 CVE published
September 17, 2025 Record updated