CVE-2025-10040 is a high-severity vulnerability affecting the WordPress plugin 'WP Import – Ultimate CSV XML Importer' developed by smackcoders. The vulnerability arises from a missing authorization check (CWE-862) on the AJAX action 'get_ftp_details' in all versions up to and including 7.27 of the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and retrieve sensitive SFTP/FTP credentials configured within the plugin. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 7.7, reflecting high impact primarily on confidentiality (C:H), with no impact on integrity or availability. The scope is changed (S:C) because the vulnerability allows access to credentials that could be used to compromise other systems or elevate privileges. Since WordPress is widely used for websites, and this plugin is designed to import CSV/XML data, many organizations use it to manage content or data feeds. The exposure of FTP/SFTP credentials could lead to unauthorized access to website files or backend systems, enabling further compromise or data exfiltration. No known exploits are currently reported in the wild, but the ease of exploitation (low attack complexity, no UI required) and the low privilege required (Subscriber role) make this a significant risk once exploited. The vulnerability is particularly critical because Subscriber-level access is commonly granted to registered users or contributors, making it easier for attackers to gain initial footholds and escalate attacks by leveraging stolen credentials.

For European organizations, this vulnerability poses a substantial risk to the confidentiality of sensitive credentials used for website and server management. Compromise of FTP/SFTP credentials can lead to unauthorized modification or theft of website content, insertion of malicious code, or pivoting to internal networks. Organizations relying on WordPress with this plugin for content management or data import/export are at risk of data breaches and website defacement. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and operational disruptions. The impact is amplified in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Additionally, the ability to access FTP credentials could facilitate supply chain attacks if the compromised credentials are reused across multiple systems or environments. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the threat surface is significant.

Immediate mitigation steps include updating the WP Import – Ultimate CSV XML Importer plugin to a patched version once released by smackcoders. Until a patch is available, organizations should restrict plugin usage to trusted users only, ideally limiting Subscriber-level access or disabling the plugin if not essential. Implementing Web Application Firewall (WAF) rules to block or monitor suspicious AJAX requests targeting 'get_ftp_details' can help detect or prevent exploitation attempts. Additionally, organizations should audit and rotate any FTP/SFTP credentials configured in the plugin to invalidate potentially compromised secrets. Enforcing the principle of least privilege on WordPress user roles and monitoring user activity logs for unusual access patterns can reduce risk. Employing multi-factor authentication (MFA) for WordPress accounts, even at lower privilege levels, can further mitigate unauthorized access. Finally, organizations should conduct regular security assessments of their WordPress environments and plugins to identify and remediate similar authorization issues proactively.