CVE-2025-10312
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: Wordfence

Description
The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10312
EUVD
EUVD-2025-34550
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress theme_importer 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include: 1) Restricting access to the Theme Importer plugin by limiting admin users who can access it; 2) Disabling or uninstalling the Theme Importer plugin until a patched version is available; 3) Applying strict input validation and nonce verification in the plugin code to prevent CSRF and arbitrary file downloads; 4) Monitoring and removing any suspicious files or directories created by the plugin; 5) Keeping WordPress and all plugins updated to the latest versions. Since the vulnerability is due to missing nonce validation and lack of input sanitization, patching or disabling the plugin is critical. [2]

Executive Summary

CVE-2025-10312 is a vulnerability in the WordPress Theme Importer plugin (up to version 1.0) caused by missing nonce validation in the theme-importer.php file. This lack of validation allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks by tricking a site administrator into clicking a malicious link. The plugin downloads and extracts theme ZIP files from user-supplied URLs without proper validation or sanitization, enabling attackers to trigger arbitrary file downloads and potentially execute malicious operations on the site. [2]

Impact Analysis

This vulnerability can allow attackers to perform unauthorized actions by tricking an administrator into clicking a malicious link, leading to arbitrary file downloads and extraction of potentially malicious ZIP archives. This can result in placing malicious files such as PHP backdoors within the WordPress theme directory, potentially leading to remote code execution, site compromise, and loss of control over the affected website. [2]

Detection Guidance

Detection can involve monitoring for suspicious HTTP POST requests to the theme-importer.php file that include URLs for ZIP file downloads. On the server, you can check for unexpected ZIP file downloads or new theme directories created recently. Commands to help detect this include: 1) Using web server logs to search for POST requests to theme-importer.php, e.g., `grep 'POST .*theme-importer.php' /var/log/apache2/access.log`; 2) Checking for recently modified or created theme directories, e.g., `find /path/to/wordpress/wp-content/themes/ -type d -ctime -7`; 3) Searching for ZIP files downloaded recently, e.g., `find /path/to/wordpress/wp-content/themes/ -name '*.zip' -ctime -7`. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart