CVE-2025-2008 Overview
CVE-2025-2008 is an arbitrary file upload vulnerability affecting the Import Export Suite for CSV and XML Datafeed plugin for WordPress. The flaw exists in the import_single_post_as_csv() function and stems from missing file type validation [CWE-434]. Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the affected server. Successful exploitation can lead to remote code execution on the host. The issue affects all plugin versions up to and including 7.19. The vulnerability was reintroduced in version 7.20 and patched again in 7.20.1.
Critical Impact
Authenticated Subscriber-level users can upload arbitrary files and potentially achieve remote code execution on WordPress sites running the vulnerable plugin.
Affected Products
- Import Export Suite for CSV and XML Datafeed plugin (also known as WP Ultimate CSV Importer) versions up to and including 7.19
- Import Export Suite for CSV and XML Datafeed plugin version 7.20 (reintroduced)
- WordPress installations with the vulnerable plugin activated
Discovery Timeline
- 2025-04-01 - CVE-2025-2008 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2008
Vulnerability Analysis
The vulnerability resides in the import_single_post_as_csv() function within SingleImportExport.php. The function processes user-supplied files during single-post import operations but fails to validate the file type or extension before writing the file to disk. An authenticated attacker can submit a request containing a malicious payload such as a PHP web shell disguised as a CSV upload. Once written to a web-accessible directory, the attacker can request the file directly and trigger code execution under the web server account.
The weakness is classified as Unrestricted Upload of File with Dangerous Type [CWE-434]. Because authentication is required, the attacker must first obtain Subscriber-level credentials, which are commonly available on sites that permit open registration. After authentication, no additional privilege checks prevent the upload path from being reached.
Root Cause
The root cause is missing input validation in the file handling logic of import_single_post_as_csv(). The function accepts user-uploaded content without verifying the MIME type, file extension, or magic bytes against an allowlist. The plugin also fails to enforce capability checks that would restrict the action to administrative roles.
Attack Vector
The attack requires network access and valid credentials at the Subscriber tier or above. An attacker sends a crafted POST request to the plugin's import endpoint with an executable file payload. The server saves the file to a predictable upload path. The attacker then issues an HTTP request to the uploaded file, achieving code execution within the WordPress process context.
The vulnerability mechanism is described in the Wordfence Vulnerability Analysis and the upstream fix is visible in the WordPress Plugin Changeset 3261521 and the follow-up changeset 3266286.
Detection Methods for CVE-2025-2008
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files within the WordPress wp-content/uploads/ directory tree, particularly under paths used by the WP Ultimate CSV Importer plugin
- POST requests to plugin import endpoints originating from accounts with Subscriber-level privileges
- New or modified files with web shell signatures such as eval(, base64_decode(, or system( in upload directories
- Outbound network connections initiated by the PHP worker process to attacker-controlled infrastructure
Detection Strategies
- Audit WordPress access logs for requests to the plugin's single-import handlers followed by direct GET requests to newly created files in upload directories
- Compare file inventory in upload paths against expected media file extensions using integrity monitoring
- Review user registration logs for new Subscriber accounts created shortly before suspicious upload activity
Monitoring Recommendations
- Enable WordPress audit logging for file upload events and plugin actions invoked by non-administrative users
- Forward web server access logs to a central analysis platform and alert on POST requests to plugin endpoints followed by requests to executable file types in upload directories
- Monitor PHP process spawning of shell utilities such as sh, bash, wget, or curl originating from the WordPress runtime
How to Mitigate CVE-2025-2008
Immediate Actions Required
- Update the Import Export Suite for CSV and XML Datafeed plugin to version 7.20.1 or later on all WordPress installations
- Audit existing user accounts and remove any unrecognized Subscriber-level or higher accounts
- Scan the wp-content/uploads/ directory for unauthorized executable files and remove any artifacts
- Rotate WordPress administrator credentials and review the site for persistence mechanisms if compromise is suspected
Patch Information
The vendor released the initial fix in the changeset referenced at WordPress Plugin Changeset 3261521. After the issue was reintroduced in version 7.20, a second patch was applied in version 7.20.1 as documented in WordPress Plugin Changeset 3266286. Administrators should confirm that the installed plugin version is 7.20.1 or later.
Workarounds
- Deactivate and remove the Import Export Suite for CSV and XML Datafeed plugin until the patched version can be deployed
- Disable open user registration in WordPress settings to limit the pool of authenticated attackers
- Configure the web server to deny execution of PHP files within the wp-content/uploads/ directory using server-level rules
# Example Apache configuration to block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar|php5|php7)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
