CVE-2025-10057 is a critical remote code execution (RCE) vulnerability affecting the WP Import – Ultimate CSV XML Importer plugin for WordPress, specifically versions up to and including 7.28. The vulnerability stems from improper handling of PHP code generation within the plugin's write_to_customfile() function. This function writes PHP code to a file named customFunction.php without adequate input validation or sanitization, allowing authenticated users with Subscriber-level access or higher to inject arbitrary PHP code. Once injected, this code can be accessed and executed remotely, enabling attackers to execute arbitrary commands on the server hosting the WordPress site. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), highlighting the risk of code injection due to insufficient input control. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges (authenticated Subscriber). No user interaction is needed beyond authentication. Although no known exploits are publicly reported, the vulnerability's nature and ease of exploitation make it a critical threat to affected WordPress sites. The plugin is widely used for importing CSV and XML data into WordPress, increasing the potential attack surface. The vulnerability allows attackers to gain full control over the affected site, potentially leading to data theft, site defacement, or pivoting to internal networks.

The impact of CVE-2025-10057 is severe for organizations running WordPress sites with the vulnerable WP Import plugin. Successful exploitation results in remote code execution, granting attackers the ability to execute arbitrary PHP code on the web server. This can lead to full site compromise, including unauthorized data access, modification, deletion, or exfiltration. Attackers may also deploy backdoors, malware, or ransomware, disrupt site availability, or use the compromised server as a pivot point for further attacks within the organization's network. Given the low privilege required (Subscriber-level access), attackers can exploit compromised or weak user credentials or leverage social engineering to gain initial access. The vulnerability threatens confidentiality, integrity, and availability of affected systems and data. Organizations relying on this plugin for data import/export workflows face operational disruption and reputational damage if exploited. The lack of known public exploits currently provides a window for remediation, but the high severity score and ease of exploitation make timely mitigation critical.

1. Immediate upgrade: Organizations should update the WP Import – Ultimate CSV XML Importer plugin to a patched version once released by the vendor. Monitor official sources for patch announcements. 2. Access control review: Restrict plugin usage to trusted users only and review user roles to minimize the number of accounts with Subscriber-level or higher privileges. 3. Disable or remove the plugin temporarily if patching is not immediately possible, especially on high-risk or public-facing sites. 4. Implement Web Application Firewall (WAF) rules to detect and block attempts to write or execute unauthorized PHP files, focusing on requests targeting customFunction.php or similar endpoints. 5. Monitor logs for suspicious activity related to file writes or PHP execution originating from authenticated users with low privileges. 6. Enforce strong authentication policies, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 7. Conduct regular security audits and vulnerability scans to detect the presence of vulnerable plugin versions. 8. Employ principle of least privilege for WordPress user roles and plugin permissions to limit attack surface. 9. Backup WordPress sites regularly to enable rapid recovery in case of compromise. 10. Educate site administrators and users about the risks of installing untrusted plugins and the importance of timely updates.