Arbitrary File Upload Flaw in WP Import Export Lite Plugin for WordPress
CVE-2025-6207
7.5HIGH
What is CVE-2025-6207?
The WP Import Export Lite plugin for WordPress suffers from a serious vulnerability due to inadequate file type validation within its 'wpie_tempalte_import' function. This flaw affects all versions up to and including 3.9.28 and allows authenticated attackers, with Subscriber-level access or higher, to upload arbitrary files to the server. If exploited, this can lead to remote code execution on the affected site, potentially compromising site integrity and user data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
WP Import Export Lite * <= 3.9.28
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Vincent Fourcade