CVE-2025-10057
📋 TL;DR
This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary PHP code on WordPress sites using the WP Import plugin. Attackers can inject malicious PHP code into a customFunction.php file, leading to full server compromise. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP Import – Ultimate CSV XML Importer for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover, data theft, malware deployment, and persistent backdoor installation leading to organizational compromise.
Likely Case
Website defacement, data exfiltration, cryptocurrency mining, or use as part of a botnet for further attacks.
If Mitigated
Limited impact if proper network segmentation, file integrity monitoring, and least privilege access are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is trivial to obtain through registration or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 7.28
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Import – Ultimate CSV XML Importer'. 4. Click 'Update Now' if available, or manually update to version after 7.28. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the WP Import plugin until patched
wp plugin deactivate wp-ultimate-csv-importer
Restrict user registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts
🧯 If You Can't Patch
- Remove the plugin entirely and use alternative import methods
- Implement web application firewall rules to block requests to customFunction.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Import plugin version 7.28 or earlierCheck Version:
wp plugin get wp-ultimate-csv-importer --field=versionVerify Fix Applied:
Verify plugin version is higher than 7.28 and check that customFunction.php file has proper permissions (644) and contains no suspicious code📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints
- File write operations to customFunction.php
- PHP execution from unexpected locations
Network Indicators:
- HTTP requests containing PHP code in parameters
- Traffic to customFunction.php file
SIEM Query:
source="web_logs" AND (uri="*customFunction.php*" OR user_agent="*wp-ultimate-csv-importer*")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.25/importExtensions/ImportHelpers.php#L585
- https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php
- https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/uploadModules/DesktopUpload.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/925af22b-a728-496e-a63a-5966347ebe6c?source=cve
