CVE-2025-34083 is a critical security vulnerability identified in the AIT CSV Import/Export WordPress plugin developed by AitThemes, affecting all versions up to and including 3.0.3. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-306 (Missing Authentication for Critical Function), and CWE-20 (Improper Input Validation). The core issue lies in an upload handler script (upload-handler.php) that accepts multipart/form-data POST requests without enforcing any authentication or validating the content type of the uploaded files. This flaw allows an unauthenticated attacker to upload arbitrary files, including malicious PHP scripts, directly to the server. Although the plugin attempts to parse uploaded files as CSV, any parsing errors do not prevent the malicious file from being saved in the WordPress uploads directory (wp-content/uploads/), where it remains executable. Notably, the vulnerability can be exploited even if the plugin is installed but not activated, increasing the attack surface. The CVSS 4.0 base score is 10.0 (critical), reflecting the vulnerability’s ease of exploitation (no authentication or user interaction required), network attack vector, and its severe impact on confidentiality, integrity, and availability. Successful exploitation could lead to remote code execution (RCE), full site compromise, data theft, defacement, or pivoting to other internal systems. No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild yet, but the critical nature and simplicity of exploitation make this a high-risk threat for WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites that use the AIT CSV Import/Export plugin. Exploitation could lead to complete server takeover, exposing sensitive customer data, intellectual property, and internal communications. This could result in severe GDPR violations with substantial fines and reputational damage. E-commerce platforms, government portals, educational institutions, and media outlets using the affected plugin are particularly vulnerable to data breaches, defacement, or service disruption. The ability to upload and execute arbitrary code without authentication makes it easy for attackers to deploy web shells, ransomware, or use the compromised server as a foothold for lateral movement within corporate networks. The fact that the plugin does not need to be active to be exploited increases the risk for organizations that may have installed but disabled the plugin, potentially leading to overlooked vulnerabilities during routine security assessments.

Immediate mitigation steps include: (1) Removing or completely uninstalling the AIT CSV Import/Export plugin from all WordPress installations until a secure patched version is released. (2) If removal is not immediately possible, restrict access to the upload-handler.php endpoint via web server configuration (e.g., using .htaccess rules or equivalent) to block all external HTTP POST requests to this script. (3) Implement Web Application Firewall (WAF) rules to detect and block suspicious file upload attempts targeting this endpoint. (4) Conduct thorough audits of the wp-content/uploads/ directory for any unauthorized PHP or executable files and remove them. (5) Monitor server logs for unusual POST requests or file uploads to the vulnerable endpoint. (6) Harden WordPress installations by disabling PHP execution in the uploads directory where possible. (7) Educate site administrators about the risk and ensure that all plugins are kept up to date with security patches. (8) Once a patch is available from the vendor, apply it promptly and verify the fix through testing. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint and the unique characteristics of this plugin’s vulnerability.