CVE-2025-6207: 
WordPress vulnerability analysis and mitigation

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads (CVE-2025-6207) due to missing file type validation in the 'wpietempalteimport' function in versions up to and including 3.9.28. This vulnerability was discovered and disclosed on May 8, 2025 (NVD).

The vulnerability exists in the 'wpietempalteimport' function where there is insufficient file type validation. The issue allows authenticated attackers with Subscriber-level access and above, who have been granted permissions by an Administrator, to upload arbitrary files to the affected site's server. The vulnerability has been assigned a CVSS v3.1 score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

Successful exploitation of this vulnerability could allow authenticated attackers to upload malicious files to the server, potentially leading to remote code execution. This could give attackers significant control over the affected WordPress site (NVD).

The vulnerability affects versions up to and including 3.9.28 of the WP Import Export Lite plugin. Users should update to the latest version of the plugin when available. In the meantime, administrators should carefully review and restrict user permissions for the plugin (NVD).