CVE-2025-5061 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WP Import Export Lite plugin for WordPress. The root cause is the absence of proper file type validation in the 'wpie_parse_upload_data' function across all versions up to 3.9.29. This flaw allows authenticated attackers with Subscriber-level access and permissions delegated by an Administrator to upload arbitrary files to the server hosting the WordPress site. Since the plugin does not adequately restrict or sanitize the file types being uploaded, attackers can upload malicious files, potentially leading to remote code execution (RCE). The vulnerability is network exploitable without user interaction, but requires low-level privileges and administrative permission delegation. Although a partial patch was introduced in version 3.9.29, the vulnerability remains exploitable in all prior versions. The CVSS 3.1 base score is 7.5, reflecting high severity due to the potential for full compromise of the affected system's confidentiality, integrity, and availability. No public exploits have been reported yet, but the risk remains significant given the widespread use of WordPress and this plugin. The vulnerability highlights the critical need for strict validation of uploaded files in web applications, especially those that allow user-generated content or file imports.

The impact of CVE-2025-5061 is substantial for organizations using the WP Import Export Lite plugin on WordPress sites. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in full system compromise, data theft, defacement, malware deployment, or pivoting to internal networks. Confidentiality is at risk as attackers may access sensitive data stored on the server. Integrity is compromised because attackers can modify or delete files and data. Availability may be disrupted if attackers deploy ransomware or cause denial-of-service conditions. The requirement for only Subscriber-level access with delegated permissions lowers the barrier to exploitation, increasing risk especially in environments with multiple users or weak administrative controls. Organizations with public-facing WordPress sites that rely on this plugin are particularly vulnerable, including e-commerce, media, and corporate websites. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public.

1. Update the WP Import Export Lite plugin to the latest version as soon as a complete patch is released beyond version 3.9.29 to ensure the vulnerability is fully addressed. 2. Until patched, restrict plugin usage to trusted administrators only and disable it on sites where it is not essential. 3. Implement strict file upload validation at the web server or application firewall level to block dangerous file types and enforce whitelist policies. 4. Limit permissions so that Subscriber-level users cannot upload files or delegate permissions that enable uploads. 5. Monitor web server logs and WordPress activity logs for unusual file upload attempts or suspicious behavior related to the plugin. 6. Employ web application firewalls (WAFs) with rules targeting arbitrary file upload attempts and known attack patterns. 7. Conduct regular security audits and penetration testing focusing on file upload functionalities. 8. Educate administrators on the risks of delegating permissions and enforce the principle of least privilege. 9. Backup website data regularly and ensure backups are stored securely offline to enable recovery in case of compromise. 10. Consider isolating WordPress instances or running them in containerized environments to limit the blast radius of potential exploitation.