Plattform
wordpress
Komponente
wp-ultimate-csv-importer
Behoben in
7.20.1
7.20.1
CVE-2025-2007 is an arbitrary file access vulnerability discovered in the WP Ultimate CSV Importer plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server, potentially leading to remote code execution. The vulnerability affects versions 0.0.0 through 7.19, and was reintroduced in 7.20 before being patched in 7.20.1.
An attacker exploiting this vulnerability could delete critical WordPress files, such as wp-config.php, which contains sensitive database credentials and configuration settings. Deletion of this file would effectively disable the WordPress site and potentially expose sensitive information. The attacker requires Subscriber-level access or higher, but the ease of gaining such access varies depending on the site's security configuration. Successful file deletion can be a stepping stone to remote code execution, allowing the attacker to gain full control of the server. This vulnerability shares similarities with other file deletion vulnerabilities where the absence of proper file path validation allows for unauthorized access and manipulation of system files.
CVE-2025-2007 was publicly disclosed on April 1, 2025. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites using the WP Ultimate CSV Importer plugin, particularly those with Subscriber-level users who have access to import and export functionality, are at risk. Shared hosting environments where file permissions are less tightly controlled are also more vulnerable.
• wordpress / composer / npm:
grep -r 'deleteImage(' /var/www/html/wp-content/plugins/wp-ultimate-csv-importer/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-ultimate-csv-importer'• wordpress / composer / npm:
wp plugin update wp-ultimate-csv-importer --alldisclosure
Exploit-Status
EPSS
5.63% (90% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the WP Ultimate CSV Importer plugin to version 7.20.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting file upload permissions for users with Subscriber roles or higher. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious file paths or patterns related to file deletion operations. Regularly review WordPress plugin permissions and ensure they adhere to the principle of least privilege. After upgrading, confirm the fix by attempting a file deletion operation with a user account having Subscriber privileges; the attempt should be denied.
Actualice el plugin WP Ultimate CSV Importer a la versión 7.20.1 o superior para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de las rutas de los archivos, previniendo que atacantes con privilegios de suscriptor o superiores puedan eliminar archivos sensibles en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2007 is a vulnerability in the WP Ultimate CSV Importer plugin for WordPress that allows authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using the WP Ultimate CSV Importer plugin in versions 0.0.0 through 7.20. Versions 7.20.1 and later are patched.
Upgrade the WP Ultimate CSV Importer plugin to version 7.20.1 or later. Consider temporary mitigation steps like restricting file permissions if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.