CVE-2025-5061
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vjinfotech | wp_import_export_lite | to 3.9.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Import Export Lite WordPress plugin allows authenticated users with Subscriber-level access and permissions granted by an Administrator to upload arbitrary files to the server. This happens because the plugin's 'wpie_parse_upload_data' function lacks proper file type validation, enabling attackers to upload potentially malicious files. This flaw exists in all versions up to and including 3.9.29, although version 3.9.29 partially patches it by enforcing stricter file type and MIME type checks during file uploads. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload arbitrary files to the affected WordPress site's server, which may lead to remote code execution. This means an attacker could execute malicious code on the server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks. Since the vulnerability requires only Subscriber-level access with Administrator-granted permissions, it poses a significant risk if such permissions are misused or compromised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WP Import Export Lite plugin version is up to and including 3.9.29 and if arbitrary file uploads are possible by authenticated users with Subscriber-level access or higher. Since the vulnerability relates to missing file type validation in the 'wpie_parse_upload_data' function, you can check for suspicious file uploads or unexpected file types in the plugin's upload directories. Commands to detect suspicious files could include scanning the WordPress upload directories for unexpected file extensions or recently modified files. For example, on the server hosting the WordPress site, you could run commands like: 1) `find /path/to/wordpress/wp-content/uploads/ -type f -mtime -7` to find files modified in the last 7 days, 2) `find /path/to/wordpress/wp-content/uploads/ -type f ! -name '*.csv' ! -name '*.json' ! -name '*.xml' ! -name '*.xls' ! -name '*.xlsx' ! -name '*.ods'` to find files with unexpected extensions, or 3) check web server logs for POST requests to the plugin's upload endpoints that include file uploads. Additionally, monitoring for files with executable code or web shells in upload directories may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the WP Import Export Lite plugin to version 3.9.29 or later, where the vulnerability is partially patched with strict file type validation and improved security controls. 2) Restricting file upload permissions to trusted users only, ensuring that Subscriber-level users do not have upload permissions unless absolutely necessary. 3) Implementing additional server-side controls such as disabling execution of uploaded files in the upload directories via web server configuration (e.g., using .htaccess rules or equivalent). 4) Monitoring and auditing file uploads and user activities related to the plugin. 5) If updating immediately is not possible, consider temporarily disabling the plugin or restricting access to its upload functionality until the patch can be applied. [2]