CVE-2025-10058 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WP Import – Ultimate CSV XML Importer plugin for WordPress, developed by smackcoders. The flaw exists in the upload_function() where insufficient validation of file paths allows authenticated users with minimal privileges (Subscriber-level or above) to specify arbitrary file paths for deletion on the server. This arbitrary file deletion can be leveraged to remove critical WordPress files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can disrupt website functionality and enable attackers to execute remote code by forcing WordPress to regenerate configuration files or by manipulating the environment. The vulnerability is remotely exploitable without user interaction beyond authentication, making it a serious risk for WordPress sites using this plugin. The CVSS v3.1 base score is 8.1, reflecting high impact on integrity and availability with low attack complexity and privileges required. No patches or official fixes have been linked yet, and no active exploits have been reported, but the potential for damage is substantial. This vulnerability highlights the risks of insufficient input validation in file handling functions within WordPress plugins, especially those that operate with file system permissions.

The potential impact of CVE-2025-10058 is significant for organizations running WordPress sites with the vulnerable WP Import plugin. Arbitrary file deletion can lead to denial of service by removing essential files, causing website downtime and loss of availability. More critically, deleting configuration files like wp-config.php can expose the site to remote code execution attacks, allowing attackers to gain full control over the web server environment. This can result in data breaches, website defacement, malware distribution, and lateral movement within the hosting infrastructure. The vulnerability requires only low-level authenticated access, which is commonly available to registered users or subscribers, increasing the attack surface. Organizations relying on WordPress for e-commerce, content management, or customer engagement face reputational damage, financial losses, and regulatory compliance issues if exploited. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and high impact make this a critical risk for all affected sites globally.

To mitigate CVE-2025-10058, organizations should immediately update the WP Import – Ultimate CSV XML Importer plugin to a patched version once available. Until a patch is released, restrict plugin usage to trusted users only and audit user roles to minimize Subscriber-level access where possible. Implement web application firewall (WAF) rules to detect and block suspicious file deletion requests targeting critical files like wp-config.php. Employ file integrity monitoring to alert on unexpected deletions or modifications of key WordPress files. Harden file system permissions to prevent the web server process from deleting critical configuration files unless absolutely necessary. Regularly back up WordPress site files and databases to enable rapid recovery in case of file deletion. Additionally, monitor logs for unusual activity related to file operations initiated by authenticated users. Consider isolating WordPress instances or running plugins with least privilege principles to limit the blast radius of potential exploitation.