The Import Export Suite for CSV and XML Datafeed plugin for WordPress, developed by smackcoders, suffers from a critical vulnerability identified as CVE-2025-2008. This vulnerability arises from the lack of proper file type validation in the import_single_post_as_csv() function, which is responsible for handling file uploads during data import operations. Specifically, the plugin does not restrict the types of files that authenticated users can upload, allowing attackers with as low as Subscriber-level privileges to upload arbitrary files to the web server. Because these files can include executable scripts, this flaw can be exploited to achieve remote code execution (RCE), enabling attackers to execute malicious code on the server, potentially leading to full site compromise. The vulnerability affects all versions up to and including 7.19, with no patch currently available at the time of disclosure. The CVSS 3.1 base score of 8.8 reflects the vulnerability's ease of exploitation over the network (AV:N), low attack complexity (AC:L), the requirement for low privileges (PR:L), no user interaction (UI:N), and its impact on confidentiality, integrity, and availability (all high). Although no active exploits have been reported in the wild, the vulnerability presents a significant risk due to the widespread use of WordPress and the plugin's functionality in data import/export workflows.

This vulnerability poses a severe risk to organizations using the affected plugin, as it enables attackers with minimal privileges to upload arbitrary files, potentially leading to remote code execution. Successful exploitation can result in full compromise of the WordPress site, including unauthorized access to sensitive data, defacement, data loss, or using the server as a pivot point for further attacks within the network. The impact extends to confidentiality, integrity, and availability of the affected systems. Given WordPress's extensive use in websites globally, including e-commerce, corporate, and governmental sites, exploitation could disrupt business operations, damage reputation, and incur financial losses. The vulnerability's exploitation does not require user interaction beyond authentication, increasing the likelihood of automated or targeted attacks. Organizations with multi-user WordPress environments are particularly at risk, as even low-privileged users can trigger the exploit.

Until an official patch is released, organizations should implement immediate compensating controls. These include restricting plugin usage to trusted administrators only, disabling or removing the Import Export Suite for CSV and XML Datafeed plugin if not essential, and enforcing strict user role management to limit Subscriber-level access. Web application firewalls (WAFs) should be configured to detect and block suspicious file upload attempts, especially those targeting the import_single_post_as_csv() function. Monitoring file upload directories for unauthorized or unusual files can help detect exploitation attempts early. Additionally, applying the principle of least privilege to WordPress user roles and regularly auditing installed plugins for vulnerabilities is critical. Once a patch becomes available, prompt application is essential. Organizations should also consider isolating WordPress instances and backing up data regularly to enable recovery in case of compromise.