Cyber Resilience

CVE-2025-5061

High

Published: 05 August 2025

Published
05 August 2025
Modified
13 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0162 82.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5061 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Vjinfotech Wp Import Export Lite. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpie_parse_upload_data function. This affects all versions up to and including 3.9.29, with the issue partially addressed in that release. The flaw is tracked as CWE-434 and carries a CVSS 3.1 score of 7.5.

Authenticated attackers holding Subscriber-level access or higher, when granted the necessary permissions by an Administrator, can exploit the weakness to upload arbitrary files to the server. Successful exploitation may enable remote code execution on the affected site.

References from the WordPress plugin repository and Wordfence indicate that the vulnerability was partially mitigated in version 3.9.29, with code changes visible in the associated changeset entries that address upload validation logic. The EPSS score remains flat at 0.0162 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with…

more

Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1505.003 web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-6207Same product: Vjinfotech Wp Import Export Lite
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434

Affected Assets

vjinfotech
wp import export lite
≤ 3.9.30

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing file type validation in the wpie_parse_upload_data function by requiring comprehensive input validation for uploaded files to prevent arbitrary uploads.

prevent

Ensures timely identification, reporting, and patching of the arbitrary file upload flaw in the WP Import Export Lite plugin versions up to 3.9.29.

prevent

Enforces least privilege to restrict Subscriber-level users from receiving administrator-granted permissions needed to access and exploit the vulnerable upload function.

References