20,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP Ultimate CSV Importer WordPress Plugin

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

On March 5th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer, a WordPress plugin with more than 20,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

Props to mikemyers who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned bounties of $676.00 and $468.00 for these discoveries. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Malicious File Upload and Directory Traversal protections.

We contacted the Smackcoders team on March 5, 2025, and received a response on March 7, 2025. After providing full disclosure details, the developer released a patch on March 25, 2025. We would like to commend the Smackcoders team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Ultimate CSV Importer, version 7.19.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Technical Analysis #1: Arbitrary File Upload

WP Ultimate CSV Importer is a WordPress plugin that allows users to easily import and export data in CSV and XML formats.

Examining the code reveals that the plugin uses the import_single_post_as_csv() function in the SingleImportExport class to handle the post import from a csv file.

public static function import_single_post_as_csv() {
	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');

	$file_name = sanitize_file_name($_FILES['file']['name']);
	$file_extension = pathinfo($file_name, PATHINFO_EXTENSION);
	$upload = wp_upload_dir();
	$upload_dir = $upload['basedir'];
	if (is_user_logged_in() && current_user_can('administrator'))
	{
		$upload_dir = $upload_dir . '/smack_uci_uploads/imports/';
		if (!is_dir($upload_dir)) {
			wp_mkdir_p($upload_dir);
			chmod($upload_dir, 0755);

			$index_php_file = $upload_dir . 'index.php';
			if (!file_exists($index_php_file)) {
				$file_content = '<?php' . PHP_EOL . '?>';
				file_put_contents($index_php_file, $file_content);
			}
		}
	}
	if ($mode != 'CLI') {
		chmod($upload_dir, 0777);
	}

	$upload_dir_path = $upload_dir. $file_name;
	if (!is_dir($upload_dir_path)) {
		wp_mkdir_p( $upload_dir_path);
	}
	chmod($upload_dir_path, 0777);

	$csv_file = $upload_dir_path.'/'.$file_name;
	if(move_uploaded_file($_FILES['file']['tmp_name'], $csv_file)){

Although the function is nonce-protected, the nonce can unfortunately be obtained by authenticated attackers with access to /wp-admin and there was no capability check in this function before uploading the file. This makes it possible for authenticated attackers with subscriber-level permission to invoke the AJAX action.

In addition, the function does not include any file type or extension checks in the vulnerable version. This means that not only .csv files can be uploaded, but it is also possible to upload .php files. The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for authenticated attackers, with subscriber-level access, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Technical Analysis #2: Arbitrary File Deletion

Examining the code reveals that the plugin uses the deleteImage() function in the MediaHandling class to delete image files.

public function deleteImage()
{
	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
	$images = json_decode(stripslashes($_POST['images']), true);
	if (!empty($images)) {
		// Get the media upload directory
		$media_dir = wp_get_upload_dir();
		$upload_path = $media_dir['path'];
		foreach ($images as $image) {
			// Ensure that the image name is a valid file name
			if (strpos($image, '/')) {
				$img_parts = explode('/', $image);
				$deleteimage = end($img_parts);
			} else {
				$deleteimage = $image;
			}
			$file_path = $upload_path . '/' . $deleteimage;
			if (file_exists($file_path)) {
				unlink($file_path);

Unfortunately, the image parameter is not properly sanitized and is not limited to image files. This means that attackers can specify any file on the server to be deleted. In addition, no capability check is present on the function and, like the previous function, the nonce is exposed to authenticated users with access to the admin dashboard.

This makes it possible for authenticated attackers with minimal access, like subscribers, to delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting the wp-config.php forces the site into a setup state, allowing an attacker to take control by redirecting it to a database under their control. This ultimately provides access to the site’s server where further infection can take place.

Disclosure Timeline

March 5, 2025 – We received submissions for both an Arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer via the Wordfence Bug Bounty Program.
March 5, 2025 – We validated the reports and confirmed the proof-of-concept exploits.
March 5, 2025 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
March 7, 2025 – The vendor confirmed the inbox for handling the discussion.
March 7, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
March 25, 2025 – The fully patched version of the plugin, 7.19.1, was released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability, and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin affecting versions 7.19 and earlier. The Arbitrary File Upload vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server. The Arbitrary File Deletion vulnerability allows authenticated threat actors with subscriber-level permissions or higher to delete arbitrary files, including the wp-config.php file, which can make site takeover possible. The vulnerabilities have been addressed in version 7.19.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Ultimate CSV Importer as soon as possible considering the critical nature of these vulnerabilities.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against these vulnerabilities.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

The post 20,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP Ultimate CSV Importer WordPress Plugin appeared first on Wordfence.