Arbitrary File Deletion Vulnerability in WordPress Import Export Suite for CSV and XML Datafeed
CVE-2025-2007

8.1HIGH

Key Information:

Vendor: WordPress
Status: Import Export Suite For Csv And Xml Datafeed
Vendor: CVE Published:; 1 April 2025

What is CVE-2025-2007?

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation in its deleteImage() function. This vulnerability affects all versions up to and including 7.19, enabling authenticated attackers with Subscriber-level access or higher to delete arbitrary files from the server. Such actions can result in severe consequences, including the potential for remote code execution if critical files, such as wp-config.php, are targeted for deletion.

Affected Version(s)

Import Export Suite for CSV and XML Datafeed * <= 7.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3261521/wp-u...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Mar 5, 2025

Credit

Michael Mazzolini