CVE-2025-10058: 
WordPress vulnerability analysis and mitigation

The WP Import – Ultimate CSV XML Importer for WordPress plugin is vulnerable to arbitrary file deletion (CVE-2025-10058). This vulnerability was discovered in September 2025 and affects versions up to 7.28. The issue exists in the FtpUpload.php file where improper file path validation could allow authenticated users to delete arbitrary files on the server (Tenable).

The vulnerability stems from insufficient path validation in the file deletion functionality within the FtpUpload.php module. When handling failed file uploads, the code directly uses unlink() on user-controlled paths without proper validation. This was fixed in version 7.29 by implementing path validation to ensure deletions only occur within the WordPress uploads directory and adding validation for allowed file extensions (WordPress Changeset).

If exploited, this vulnerability allows authenticated users with contributor-level access or above to delete arbitrary files on the server's filesystem. This could lead to website disruption, data loss, or potential system compromise depending on which files are targeted.

The vulnerability has been patched in version 7.29 of the WP Import – Ultimate CSV XML Importer plugin. The fix includes proper path validation to restrict file deletions to the WordPress uploads directory and implementation of file extension validation. Site administrators should update to version 7.29 or later immediately (WordPress Changeset).