If you are running a WordPress site and using the WP Ultimate CSV Importer plugin, it’s time to update—immediately. A recent security report from Wordfence has revealed two critical vulnerabilities in the plugin that could put over 20,000 websites at serious risk of hacking and data loss.
Security researchers discovered two major flaws in versions 7.19 and earlier of the WP Ultimate CSV Importer plugin:
1. Arbitrary File Upload Vulnerability (CVE-2025-2008)
The vulnerability allows attackers with subscriber-level access or higher to upload malicious files, including PHP scripts. Once uploaded, hackers can execute remote code, potentially taking complete control over the affected website. The vulnerability has a CVSS Score of 8.8.
2. Arbitrary File Deletion Vulnerability (CVE-2025-2007)
This vulnerability allows attackers to delete any file on the server, including critical files like wp-config.php. Deleting the wp-config.php file can force the site into setup mode, making it vulnerable to a complete takeover. It has a CVSS Score of 8.1.
Both vulnerabilities stem from insufficient access controls and poor input validation within the plugin’s import and file deletion functions.
The vulnerabilities were responsibly reported through the Wordfence Bug Bounty Program by a researcher known as mikemyers, who was awarded $1,144 for the discovery. Wordfence immediately contacted the plugin’s developer, Smackcoders, on March 5, 2025, and a patched version (7.19.1) was released on March 25, 2025.
If your website is running any version of WP Ultimate CSV Importer older than 7.19.1, you are vulnerable. Hackers could exploit these flaws to take over your website, inject malware, steal data, or disrupt your operations.
How to Protect Your Website
- Update immediately to the latest version (7.19.1 or later). You can do this from your WordPress dashboard under Plugins > Installed Plugins.
- If you can’t update immediately, consider deactivating and removing the plugin temporarily.
- Use a WordPress security plugin like Wordfence to monitor for suspicious activity and block malicious file uploads.
- Restrict user access levels—don’t give subscriber accounts unnecessary privileges.
- Regularly backup your website, so you can restore it in case of an attack.
Final Thoughts
This incident once again highlights the importance of keeping your WordPress plugins updated. Vulnerabilities like these can provide an open door for hackers, leading to severe consequences, from defaced websites to complete data loss. If you’re using WP Ultimate CSV Importer, update it now and stay ahead of potential security threats.
For more WordPress security updates and tech news, keep following our blog!
