CVE-2025-10058 is a high-severity vulnerability affecting the WordPress plugin 'WP Import – Ultimate CSV XML Importer' developed by smackcoders. The vulnerability arises from insufficient validation of file paths in the plugin's upload_function(), which allows an authenticated attacker with as low as Subscriber-level privileges to perform arbitrary file deletion on the server hosting the WordPress instance. This vulnerability is classified under CWE-73 (External Control of File Name or Path), indicating that the plugin improperly trusts user-supplied input to control file paths. Exploitation does not require user interaction beyond authentication and can lead to deletion of critical files such as wp-config.php. The removal of such files can disrupt the availability of the website or enable further exploitation, including remote code execution (RCE), by destabilizing the WordPress environment or facilitating malicious file uploads or modifications. The CVSS v3.1 base score is 8.1, reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and resulting in high integrity and availability impact. No public exploits are currently known in the wild, but the vulnerability affects all versions up to and including 7.27 of the plugin, which is widely used for importing CSV and XML data into WordPress sites.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress for their web presence and using the affected plugin. Successful exploitation can lead to website downtime, loss of data integrity, and potential unauthorized control over web servers. This can disrupt business operations, damage reputation, and expose sensitive customer or organizational data indirectly if further exploitation occurs. Given the ease of exploitation by low-privilege authenticated users, insider threats or compromised low-level accounts can trigger attacks. The impact is particularly critical for e-commerce, government, and media websites where availability and integrity are paramount. Additionally, the potential for remote code execution elevates the risk of lateral movement within organizational networks, increasing the threat to internal systems and data. Compliance with GDPR and other European data protection regulations may be jeopardized if the vulnerability leads to data breaches or service interruptions.

European organizations should immediately audit their WordPress installations to identify the presence of the 'WP Import – Ultimate CSV XML Importer' plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate the attack surface. Restricting user roles and permissions to minimize the number of users with Subscriber-level or higher access can reduce exploitation risk. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious file path manipulation attempts targeting the upload_function() may provide temporary protection. Monitoring server logs for unusual file deletion activities or access patterns related to the plugin's upload functionality is recommended. Organizations should also enforce strong authentication mechanisms and consider multi-factor authentication (MFA) to reduce the risk of compromised accounts. Once a patch becomes available, prompt application of updates is critical. Regular backups of WordPress files and databases should be maintained to enable rapid recovery in case of successful exploitation.