CVE Details
Basic Information
| Title | WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload |
|---|---|
| Type | cve |
| Published | 2025-08-05T07:24:14.925Z |
| Modified | 2025-08-05T07:24:14.925Z |
Product Information
| Vendor | vjinfotech |
|---|---|
| Product | WP Import Export Lite |
| Version | * |
CVSS Information
| Base Score | 7.5 (HIGH) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
AI Analysis
| AI Description | The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation. This allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files, potentially enabling remote code execution. |
|---|---|
| AI Severity | High |
| AI Vendor | vjinfotech |
| AI Product | WP Import Export Lite |
| AI Version | Up to 3.9.28 |
Affected Products
- vjinfotech WP Import Export Lite *
Additional Information
| CWE List | CWE-434 |
|---|---|
| Source | Wordfence |
Description
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘wpie_tempalte_import’ function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site’s server which may make remote code execution possible.