CVE-2025-10057

HighRCE

Published: 17 September 2025

Published

17 September 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0062 70.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10057 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of unfiltered inputs to the write_to_customfile() function, directly preventing injection of arbitrary PHP code into customFunction.php.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific flaw in ImportHelpers.php that allows unfiltered PHP writes, such as through plugin patching.

CM-7 Least Functionality good match

prevent

Restricts non-essential plugin capabilities like unrestricted file writing for custom PHP functions, prohibiting the vulnerable import feature for low-privilege users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1100 Web Shell Persistence

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables RCE in public-facing WordPress plugin via unsanitized PHP file write, directly mapping to public app exploitation and web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a…

file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.

Deeper analysisAI

CVE-2025-10057 is a Remote Code Execution vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H; CWE-94) in the WP Import – Ultimate CSV XML Importer plugin for WordPress, affecting all versions up to and including 7.28. The issue arises in the write_to_customfile() function within ImportHelpers.php, which writes unfiltered PHP code directly to a file without proper sanitization.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability by injecting arbitrary PHP code into the customFunction.php file. Once injected, the code can be accessed and executed remotely on the server, potentially allowing full compromise of the WordPress site.

Advisories and patch details are available via WordPress plugin trac references, including vulnerable code at ImportHelpers.php line 585 (tag 7.25) and fixes in changeset 3360428 for ImportHelpers.php and DesktopUpload.php. Additional analysis is provided in the Wordfence threat intelligence report.