CVE-2025-2007 HIGH

CVE-2025-2007: Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion

Vendor Smackcoders

Product WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

Weakness CWE-23

Published April 1, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.

Key dates

02Disclosure timeline

April 1, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2007

Related vulnerabilities

Identifiers

CVE CVE-2025-2007

CWE CWE-23

CVSS 8.1 / HIGH

Affected versions

Vendor Smackcoders

Product WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

Affected ≤ 7.19

Vendor Smackcoders

Product WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

Affected 7.20

CVE-2025-2007: Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion

01Description

02Disclosure timeline

03References

04Related CVE