Cyber Resilience

CVE-2025-10057

HighRCE

Published: 17 September 2025

Published
17 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0068 47.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-10057 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-10057 is a Remote Code Execution vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-94) in the WP Import – Ultimate CSV XML Importer plugin for WordPress, affecting all versions up to and including 7.28. The issue arises in the write_to_customfile() function within ImportHelpers.php, which writes unfiltered PHP code directly to a file without proper sanitization.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability by injecting arbitrary PHP code into the customFunction.php file. Once injected, the code can be accessed and executed remotely on the server, potentially allowing full compromise of the WordPress site.

Advisories and patch details are available via WordPress plugin trac references, including vulnerable code at ImportHelpers.php line 585 (tag 7.25) and fixes in changeset 3360428 for ImportHelpers.php and DesktopUpload.php. Additional analysis is provided in the Wordfence threat intelligence report.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a…

more

file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables RCE in public-facing WordPress plugin via unsanitized PHP file write, directly mapping to public app exploitation and web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54724Shared CWE-94
CVE-2025-52744Shared CWE-94
CVE-2021-47778Shared CWE-94
CVE-2024-12252Shared CWE-94
CVE-2026-42607Shared CWE-94
CVE-2026-25447Shared CWE-94
CVE-2025-61196Shared CWE-94
CVE-2026-35194Shared CWE-94
CVE-2025-62521Shared CWE-94
CVE-2025-59954Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of unfiltered inputs to the write_to_customfile() function, directly preventing injection of arbitrary PHP code into customFunction.php.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in ImportHelpers.php that allows unfiltered PHP writes, such as through plugin patching.

prevent

Restricts non-essential plugin capabilities like unrestricted file writing for custom PHP functions, prohibiting the vulnerable import feature for low-privilege users.

References