CVE-2025-4190

HIGH

WordPress CSV Mass Importer <1.2 - Privilege Escalation

Title source: llm

Description

The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Exploits (3)

nomisec WORKING POC 3 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-4190

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by GadaLuBau1337 · poc

https://github.com/GadaLuBau1337/CVE-2025-4190

View Code ZIP pw:eip

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-4190

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/e525ece5-6e03-4aee-bf5b-6ae0b961f027/

Scores

CVSS v3 7.2

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

Status published

Affected Products (1)

aleapp/csv_mass_importer < 1.2

Timeline

Published May 17, 2025

Tracked Since Feb 18, 2026