CVE-2025-5061: 
WordPress vulnerability analysis and mitigation

The WP Import Export Lite plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-5061) discovered on May 8, 2025. The vulnerability affects all versions up to and including 3.9.29 and stems from missing file type validation in the 'wpieparseupload_data' function. This security issue allows authenticated attackers with Subscriber-level access or higher, who have been granted permissions by an Administrator, to upload arbitrary files to the affected site's server (NVD).

The vulnerability exists due to insufficient file type validation in the 'wpieparseupload_data' function. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability could potentially lead to remote code execution on the affected site's server if successfully exploited. This could give attackers significant control over the compromised WordPress installation (NVD).

The vulnerability was partially patched in version 3.9.30 of the WP Import Export Lite plugin. Users are advised to update to this version or later to mitigate the risk. The fix includes improved file type validation checks (WordPress Plugin Repository).