What the vulnerability does
01Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
Explanation of Vulnerability in Simple Terms
02Summary
The WP Import plugin for WordPress versions 7.20 through 7.28 contains a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker with a basic user account can inject malicious code through the import functionality, gaining full control over the site's data and operations. Sites running affected versions should update immediately.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site and access or modify all data.
Potential impact on your site
04Site Impact
Complete site compromise: data theft, malware injection, or total loss of control.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
September 17, 2025
CVE published
September 17, 2025
Record updated