Platform
wordpress
Component
wp-ultimate-csv-importer
Fixed in
7.20.1
7.20.1
CVE-2025-2007 is an arbitrary file access vulnerability discovered in the WP Ultimate CSV Importer plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server, potentially leading to remote code execution. The vulnerability affects versions 0.0.0 through 7.19, and was reintroduced in 7.20 before being patched in 7.20.1.
The primary impact of CVE-2025-2007 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. This is particularly concerning because deleting critical files like wp-config.php can lead to complete compromise of the WordPress installation and remote code execution. An attacker could then install malware, steal sensitive data, or deface the website. The vulnerability's ease of exploitation, requiring only Subscriber-level access, significantly broadens the potential attack surface.
CVE-2025-2007 was publicly disclosed on April 1, 2025. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for remote code execution make it a high-priority vulnerability. The reintroduction and subsequent patching in version 7.20 highlights the importance of thorough testing and quality assurance processes for WordPress plugins.
Exploit Status
EPSS
5.63% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2007 is to immediately upgrade the WP Ultimate CSV Importer plugin to version 7.20.1 or later. If upgrading is not immediately feasible, consider restricting file access permissions on the server to limit the potential damage from file deletion. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file access or deletion activity. After upgrading, confirm the fix by attempting to trigger the file deletion functionality with a test account to ensure it is properly restricted.
Actualice el plugin WP Ultimate CSV Importer a la versión 7.20.1 o superior para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de las rutas de los archivos, previniendo que atacantes con privilegios de suscriptor o superiores puedan eliminar archivos sensibles en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2007 is a vulnerability in the WP Ultimate CSV Importer plugin for WordPress that allows authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using the WP Ultimate CSV Importer plugin in versions 0.0.0 through 7.20. Versions 7.20.1 and later are patched.
Upgrade the WP Ultimate CSV Importer plugin to version 7.20.1 or later. Consider temporary mitigation steps like restricting file permissions if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.