Websites can be compromised: Gaps in WordPress plug-in WP Ultimate CSV Importer
Potentially 20,000 WordPress websites are vulnerable with the plug-in WP Ultimate CSV Importer. A security patch is available for download.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
If attackers successfully exploit vulnerabilities in the WordPress plug-in WP Ultimate CSV Importer, they can gain full control over websites. The developers have now responded and released a version that is equipped against possible attacks.
Websites can be compromised
In a report, security researchers from Wordfence warn of two vulnerabilities (CVE-2025-2007 "high", CVE-2025-2008 "high"). In both cases, remote attackers can load and execute malicious code on websites due to insufficient checks. However, they must already be authenticated (subscriber level).
Videos by heise
Website admins should ensure that version 7.19.1, which is equipped against the described attack, is installed. So far there are no indications of attacks.
(des)
