CVE-2025-10040 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP Import – Ultimate CSV XML Importer plugin for WordPress, developed by smackcoders. The issue arises due to the absence of a proper capability check on the 'get_ftp_details' AJAX action endpoint. This endpoint is intended to provide FTP/SFTP credentials configured within the plugin, which are sensitive and should only be accessible to authorized administrators. However, the missing authorization allows any authenticated user with at least Subscriber-level access to invoke this AJAX action and retrieve these credentials. Since WordPress roles such as Subscriber are commonly assigned to users with minimal privileges, this vulnerability significantly lowers the bar for attackers to gain access to critical credentials. The vulnerability affects all versions of the plugin up to and including version 7.27. The CVSS v3.1 base score is 7.7, reflecting a high severity due to network attack vector, low attack complexity, and the requirement for low privileges but no user interaction. The scope is changed because the compromise of FTP/SFTP credentials can lead to broader system access beyond the WordPress environment. While no integrity or availability impact is directly caused by this vulnerability, the confidentiality breach of FTP/SFTP credentials can enable further attacks such as website defacement, data exfiltration, or malware deployment. No public exploits have been reported yet, but the vulnerability's nature makes it a prime target for attackers once disclosed. The plugin is widely used in WordPress environments for importing CSV and XML data, making the vulnerability relevant to many websites globally.

The primary impact of CVE-2025-10040 is the unauthorized disclosure of FTP/SFTP credentials stored within the vulnerable WordPress plugin. This breach of confidentiality can lead to severe downstream consequences, including unauthorized access to the web server's file system, enabling attackers to modify website content, inject malicious code, or exfiltrate sensitive data. Organizations relying on this plugin risk website defacement, data breaches, and potential loss of customer trust. Since the vulnerability can be exploited by users with minimal privileges (Subscriber role), insider threats or compromised low-privilege accounts can escalate into full server compromise. The lack of integrity and availability impact in the direct vulnerability does not mitigate the risk, as attackers gaining FTP/SFTP access can indirectly disrupt website operations or integrity. The threat is particularly critical for organizations with high-value web assets, e-commerce platforms, or those subject to regulatory compliance requiring data protection. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for rapid exploitation post-disclosure.

To mitigate CVE-2025-10040, organizations should immediately update the WP Import – Ultimate CSV XML Importer plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict access to the plugin's AJAX endpoints by implementing web application firewall (WAF) rules that block unauthorized AJAX requests, especially those targeting 'get_ftp_details'. Additionally, review and minimize the assignment of Subscriber or higher roles to untrusted users to reduce the attack surface. Consider rotating FTP/SFTP credentials stored in the plugin to invalidate any potentially compromised credentials. Employ principle of least privilege for FTP/SFTP accounts used by the plugin, limiting their access scope on the server. Monitoring and logging access to the plugin's AJAX actions can help detect exploitation attempts. Finally, conduct regular security audits of WordPress plugins and configurations to identify and remediate similar authorization issues proactively.