CVE-2025-2007 is a vulnerability classified under CWE-23 (Relative Path Traversal) found in the Import Export Suite for CSV and XML Datafeed plugin for WordPress, developed by smackcoders. The flaw exists in the deleteImage() function, which fails to properly validate file paths before deleting files. This lack of validation allows an authenticated attacker, even with low-level privileges such as Subscriber, to craft requests that specify arbitrary file paths outside the intended directory scope. Consequently, the attacker can delete any file on the server accessible by the web server user, including critical WordPress configuration files like wp-config.php. Deleting such files can disrupt site availability or facilitate remote code execution by forcing WordPress to regenerate configuration or by enabling further exploitation. The vulnerability affects all plugin versions up to and including 7.19. The CVSS v3.1 base score is 8.1, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and high impact on integrity and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a high-risk issue for WordPress sites using this plugin. The absence of patch links indicates that a fix may not yet be publicly available, increasing the urgency for mitigation.

The vulnerability allows attackers with minimal privileges to delete arbitrary files on the server, which can severely impact the confidentiality, integrity, and availability of affected WordPress sites. Deletion of critical files such as wp-config.php can cause site downtime, loss of configuration data, and potentially enable remote code execution if attackers manipulate the environment post-deletion. This can lead to full site compromise, data breaches, defacement, or use of the site as a pivot point for further attacks within an organization's network. The ease of exploitation combined with the potential for high-impact outcomes makes this a significant threat to organizations relying on the affected plugin. The impact extends to any organization using WordPress with this plugin installed, including businesses, government agencies, and non-profits, potentially affecting their online presence and data security.

Organizations should immediately audit their WordPress installations to identify the presence of the Import Export Suite for CSV and XML Datafeed plugin. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restricting user privileges to the minimum necessary can reduce risk, but since Subscriber-level users are sufficient to exploit this vulnerability, privilege management alone is insufficient. Implementing web application firewalls (WAFs) with custom rules to detect and block suspicious file deletion requests targeting the plugin's endpoints can provide temporary protection. Monitoring server logs for unusual file deletion activities or access patterns related to the plugin is also recommended. Once a patch is available, prompt application of updates is critical. Additionally, regular backups of WordPress files and configurations should be maintained to enable recovery in case of file deletion or compromise.