A critical remote code execution (RCE) vulnerability has been identified in the "WP Import – Ultimate CSV XML Importer" WordPress plugin. This flaw allows an unauthenticated attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the affected website, data theft, and further network intrusion. Immediate patching is required to mitigate this high-severity risk.

The vulnerability exists within the file import functionality of the plugin. An attacker can craft a malicious CSV or XML file containing embedded PHP code and upload it through the plugin's import feature. The plugin fails to properly sanitize the contents of the imported file, causing the malicious code to be executed on the web server with the permissions of the web service account.

This vulnerability is rated as high severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the web server hosting the WordPress site. Potential consequences include theft of sensitive data (customer information, payment details, intellectual property), website defacement, installation of malware or ransomware, and the use of the compromised server to launch further attacks against other systems. Such an incident could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action:

• Identify all WordPress instances using the "WP Import – Ultimate CSV XML Importer" plugin.
• Update the plugin to the latest patched version immediately via the WordPress administrator dashboard.
• If the plugin is no longer required for business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring:

• Monitor web server logs for suspicious POST requests to the plugin's import endpoints, especially those originating from untrusted IP addresses.
• Analyze network traffic for unusual outbound connections from the web server, which could indicate a successful compromise.
• Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, and plugins.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads containing code snippets.
• Restrict administrator access to the WordPress dashboard to trusted IP addresses only.
• Ensure web server file permissions are hardened to prevent the web service account from writing to sensitive directories.

Public Exploit Available: false

Given the high severity (CVSS 8.8) and the critical impact of a successful remote code execution attack, we strongly recommend that all system owners prioritize the immediate remediation of this vulnerability. All instances of the "WP Import – Ultimate CSV XML Importer" plugin must be updated or removed without delay. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation.