平台
wordpress
组件
wp-ultimate-csv-importer
修复版本
7.28.1
CVE-2025-10057 is a critical Remote Code Execution (RCE) vulnerability affecting the WP Import – Ultimate CSV XML Importer for WordPress plugin. An attacker with Subscriber-level access or higher can inject malicious PHP code, potentially gaining complete control of the WordPress site. This vulnerability impacts versions 7.20 through 7.28. A patch is expected to be released by the plugin developer.
This RCE vulnerability allows an authenticated attacker to execute arbitrary code on the server hosting the WordPress site. The attack vector involves manipulating the customFunction.php file, which is then executed by the plugin. Successful exploitation could lead to complete compromise of the website, including data theft, modification, and defacement. The attacker could also leverage the compromised server to launch further attacks against other systems within the network, significantly expanding the blast radius. This vulnerability shares similarities with other plugin-based RCE vulnerabilities where file uploads or modifications are not properly sanitized.
This vulnerability was publicly disclosed on 2025-09-17. The CVSS score is 8.8 (HIGH). There are currently no known public exploits, but the ease of exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the WP Import plugin, particularly those with a large number of users with Subscriber or higher roles, are at significant risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. WordPress sites with outdated security practices and inadequate user permission management are also at increased risk.
• wordpress / composer / npm:
grep -r 'write_to_customfile\(' /var/www/html/wp-content/plugins/wp-import/• wordpress / composer / npm:
wp plugin list --status=active | grep "WP Import"• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name 'customFunction.php' -type fdisclosure
漏洞利用状态
EPSS
0.35% (58% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the WP Import plugin to a version containing the fix, once released by the developer. As an interim measure, restrict file upload permissions for users with Subscriber roles or lower. Implement a Web Application Firewall (WAF) rule to block attempts to upload or modify the customFunction.php file. Regularly scan the WordPress installation for suspicious files and modifications. Review user roles and permissions to ensure the principle of least privilege is enforced.
Actualice el plugin WP Import – Ultimate CSV XML Importer for WordPress a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución remota de código.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-10057 is a Remote Code Execution vulnerability in the WP Import plugin for WordPress, allowing authenticated attackers to execute arbitrary code.
You are affected if you are using WP Import versions 7.20 through 7.28 and have not upgraded to a patched version.
Upgrade the WP Import plugin to the latest available version as soon as a patch is released by the developer. Implement WAF rules and restrict file upload permissions as interim measures.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the official WP Import plugin website and WordPress security announcements for the latest advisory and patch information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。