CVE-2025-2007: 
WordPress vulnerability analysis and mitigation

The Import Export Suite for CSV and XML Datafeed plugin for WordPress contains an arbitrary file deletion vulnerability (CVE-2025-2007) in the deleteImage() function in all versions up to and including 7.19. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on April 1, 2025. This vulnerability affects WordPress installations using the affected plugin versions and allows authenticated attackers with Subscriber-level access or above to delete arbitrary files on the server (NVD Details).

The vulnerability stems from insufficient file path validation in the deleteImage() function within the plugin. The function fails to properly validate file paths before deletion operations, allowing attackers to manipulate the file path to target arbitrary files on the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The issue is classified as CWE-23 (Relative Path Traversal) (NVD Details, WordPress Plugin).

The vulnerability can be exploited to delete arbitrary files on the affected server, including critical system files such as wp-config.php. This can lead to website disruption, data loss, and potentially remote code execution if an attacker can delete and replace security-critical files. The attack requires authentication but can be executed by users with minimal privileges such as Subscriber-level access (NVD Details).

A security fix has been released in version 7.19.1 of the plugin. The patch implements proper file path validation and additional security checks in the deleteImage() function. Site administrators are strongly advised to update to version 7.19.1 or later immediately. If immediate updating is not possible, consider disabling the plugin until the update can be applied (WordPress Plugin).