CVE-2025-5061: 
WordPress vulnerability analysis and mitigation

The WP Import Export Lite plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-5061) in versions up to and including 3.9.29. The vulnerability exists due to missing file type validation in the 'wpie_parse_upload_data' function (AttackerKB).

The vulnerability stems from insufficient file type validation in the plugin's upload functionality. The issue is specifically located in the 'wpie_parse_upload_data' function, which fails to properly validate uploaded file types. The vulnerability has a CVSS v3 Base Score of 7.5 (High), with an Impact Score of 5.9 and Exploitability Score of 1.6. The attack vector is Network-based, requires Low privileges, and No user interaction (AttackerKB).

When successfully exploited, this vulnerability allows authenticated attackers with Subscriber-level access and above, who have been granted necessary permissions by an Administrator, to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution on the target system (AttackerKB).

A partial patch was implemented in version 3.9.29, and further security improvements were made in version 3.9.30. Users are advised to update to the latest version of the plugin to mitigate this vulnerability (WordPress Plugin Repository).