CVE-2025-10057 is a critical vulnerability affecting the WP Import – Ultimate CSV XML Importer plugin for WordPress, developed by smackcoders. This vulnerability exists in all versions up to and including 7.28, with the specifically noted affected version 7.20. The root cause is improper control of code generation (CWE-94), specifically in the write_to_customfile() function, which writes unfiltered PHP code to a file named customFunction.php. This flaw allows an authenticated attacker with at least Subscriber-level privileges to inject arbitrary PHP code into this file. Because the injected PHP code can be executed remotely, this leads to remote code execution (RCE) on the affected WordPress site without requiring any user interaction. The CVSS v3.1 base score is 8.8 (high severity), reflecting the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a significant risk. The ability for low-privileged authenticated users to execute arbitrary code can lead to full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Since WordPress is widely used globally, and this plugin is popular for importing CSV and XML data, the vulnerability has broad implications for sites using this plugin without patching or mitigation.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress for their web presence and using the WP Import – Ultimate CSV XML Importer plugin. Successful exploitation can lead to full compromise of the web server, resulting in data breaches including personal data protected under GDPR, website defacement, service disruption, and potential lateral movement within internal networks. The high integrity and availability impacts could disrupt business operations and damage reputation. Given the plugin’s role in importing data, attackers might also manipulate imported content or inject malicious payloads into the website content, affecting end users and customers. Organizations in sectors such as e-commerce, media, education, and government that rely on WordPress are particularly vulnerable. The requirement for only Subscriber-level access lowers the barrier for exploitation, increasing risk from insider threats or compromised low-privilege accounts. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score indicates urgent attention is necessary.

1. Immediate upgrade or patching: Organizations should check for and apply any available updates from smackcoders that address this vulnerability. If no patch is currently available, consider disabling or uninstalling the plugin until a fix is released. 2. Restrict plugin usage: Limit plugin installation and usage to trusted administrators only, and restrict Subscriber-level accounts from accessing import functionalities if possible. 3. Harden WordPress permissions: Review and tighten user role permissions to minimize the number of users with Subscriber-level or higher access, and monitor for suspicious privilege escalations. 4. Implement Web Application Firewall (WAF) rules: Deploy WAF rules to detect and block attempts to write or execute unauthorized PHP files, particularly targeting the customFunction.php file or suspicious POST requests to the plugin endpoints. 5. Monitor file integrity: Use file integrity monitoring tools to detect unexpected changes to PHP files within the WordPress installation, especially in plugin directories. 6. Conduct regular security audits: Scan WordPress sites for vulnerable plugins and remove or update them promptly. 7. Employ network segmentation: Isolate web servers to limit lateral movement in case of compromise. 8. Backup and incident response: Maintain recent backups and have an incident response plan ready to quickly restore services if exploitation occurs.