CVE-2025-11170: 
WordPress vulnerability analysis and mitigation

The WP移行専用プラグイン for CPI plugin for WordPress contains a critical security vulnerability (CVE-2025-11170) that affects all versions up to and including 1.0.2. The vulnerability was discovered and disclosed on November 10, 2025. This security flaw exists due to missing file type validation in the CpiwmImportController::import function, affecting WordPress installations using this plugin (NVD).

The vulnerability is characterized by missing file type validation in the CpiwmImportController::import function, which allows for arbitrary file uploads. The severity is rated as Critical with a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. This presents a severe security risk as attackers can potentially gain unauthorized access to the server and execute malicious code (NVD).

As of November 7, 2025, the plugin has been temporarily closed and is not available for download pending a full security review (WordPress). Website administrators using this plugin should immediately remove it from their WordPress installations until a patched version is released.