WP Import Export Lite

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.

Basic Information

ID CVE-2025-5061

Source Wordfence

Published Aug 5, 2025 at 07:24

Modified Aug 5, 2025 at 15:23

Affected Product

Vendor vjinfotech

Product WP Import Export Lite

Version *

Affected Versions vjinfotech WP Import Export Lite *

CWE Classification

CWE-434

References

{
    "lastseen": "",
    "description": "The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29.",
    "published": "2025-08-05T07:24:15.571Z",
    "modified": "2025-08-05T15:23:55.410Z",
    "type": "cve",
    "title": "WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c0f3248-fef6-48a5-b2e1-f2778528fba1?source=cve\nhttps://plugins.trac.wordpress.org/browser/wp-import-export-lite/trunk/includes/classes/import/class-wpie-upload-validate.php#L24\nhttps://plugins.trac.wordpress.org/browser/wp-import-export-lite/trunk/includes/classes/import/class-wpie-upload-validate.php#L89\nhttps://plugins.trac.wordpress.org/changeset/3323402/\nhttps://plugins.trac.wordpress.org/changeset/3338701/",
    "id": "CVE-2025-5061",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "vjinfotech WP Import Export Lite *",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Import Export Lite",
    "version": "*",
    "vendor": "vjinfotech",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload_CVE-2025-5061