CVE-2025-2007
Published: 01 April 2025
Summary
CVE-2025-2007 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is affected by an arbitrary file deletion vulnerability in all versions through 7.19, with the flaw reintroduced in version 7.20 before final remediation in 7.20.1. Insufficient file path validation in the deleteImage() function permits relative path traversal, tracked as CWE-23, enabling deletion of arbitrary server files.
Authenticated attackers holding Subscriber-level privileges or higher can exploit the issue remotely with low attack complexity and no user interaction required. By targeting critical files such as wp-config.php, they can achieve high impact on integrity and availability, potentially resulting in remote code execution on the affected WordPress installation.
Advisories reference patches applied via WordPress plugin trac changesets that update MediaHandling.php and related code paths, with additional details provided by Wordfence threat intelligence. The EPSS score remains flat at 0.1104 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9114
Vulnerability details
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible…
more
for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.