プラットフォーム
wordpress
コンポーネント
wp-ultimate-csv-importer
修正版
7.28.1
CVE-2025-10057 is a critical Remote Code Execution (RCE) vulnerability affecting the WP Import – Ultimate CSV XML Importer for WordPress plugin. An attacker with Subscriber-level access or higher can inject malicious PHP code, potentially gaining complete control of the WordPress site. This vulnerability impacts versions 7.20 through 7.28. A patch is expected to be released by the plugin developer.
This RCE vulnerability allows an authenticated attacker to execute arbitrary code on the server hosting the WordPress site. The attack vector involves manipulating the customFunction.php file, which is then executed by the plugin. Successful exploitation could lead to complete compromise of the website, including data theft, modification, and defacement. The attacker could also leverage the compromised server to launch further attacks against other systems within the network, significantly expanding the blast radius. This vulnerability shares similarities with other plugin-based RCE vulnerabilities where file uploads or modifications are not properly sanitized.
This vulnerability was publicly disclosed on 2025-09-17. The CVSS score is 8.8 (HIGH). There are currently no known public exploits, but the ease of exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the WP Import plugin, particularly those with a large number of users with Subscriber or higher roles, are at significant risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. WordPress sites with outdated security practices and inadequate user permission management are also at increased risk.
• wordpress / composer / npm:
grep -r 'write_to_customfile\(' /var/www/html/wp-content/plugins/wp-import/• wordpress / composer / npm:
wp plugin list --status=active | grep "WP Import"• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name 'customFunction.php' -type fdisclosure
エクスプロイト状況
EPSS
0.35% (58% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade the WP Import plugin to a version containing the fix, once released by the developer. As an interim measure, restrict file upload permissions for users with Subscriber roles or lower. Implement a Web Application Firewall (WAF) rule to block attempts to upload or modify the customFunction.php file. Regularly scan the WordPress installation for suspicious files and modifications. Review user roles and permissions to ensure the principle of least privilege is enforced.
Actualice el plugin WP Import – Ultimate CSV XML Importer for WordPress a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución remota de código.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-10057 is a Remote Code Execution vulnerability in the WP Import plugin for WordPress, allowing authenticated attackers to execute arbitrary code.
You are affected if you are using WP Import versions 7.20 through 7.28 and have not upgraded to a patched version.
Upgrade the WP Import plugin to the latest available version as soon as a patch is released by the developer. Implement WAF rules and restrict file upload permissions as interim measures.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the official WP Import plugin website and WordPress security announcements for the latest advisory and patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。