CVE-2025-5061
Published: 05 August 2025
Summary
CVE-2025-5061 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Vjinfotech Wp Import Export Lite. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpie_parse_upload_data function. This affects all versions up to and including 3.9.29, with the issue partially addressed in that release. The flaw is tracked as CWE-434 and carries a CVSS 3.1 score of 7.5.
Authenticated attackers holding Subscriber-level access or higher, when granted the necessary permissions by an Administrator, can exploit the weakness to upload arbitrary files to the server. Successful exploitation may enable remote code execution on the affected site.
References from the WordPress plugin repository and Wordfence indicate that the vulnerability was partially mitigated in version 3.9.29, with code changes visible in the associated changeset entries that address upload validation logic. The EPSS score remains flat at 0.0162 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23606
Vulnerability details
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with…
more
Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1505.003 web shell deployment for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing file type validation in the wpie_parse_upload_data function by requiring comprehensive input validation for uploaded files to prevent arbitrary uploads.
Ensures timely identification, reporting, and patching of the arbitrary file upload flaw in the WP Import Export Lite plugin versions up to 3.9.29.
Enforces least privilege to restrict Subscriber-level users from receiving administrator-granted permissions needed to access and exploit the vulnerable upload function.