CVE-2025-4190

HIGH

WordPress CSV Mass Importer <1.2 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-4190. PoCs published by Nxploited, GadaLuBau1337, Boshe99.

AI-analyzed exploit summary This exploit targets CVE-2025-4190, an arbitrary file upload vulnerability in the WordPress CSV Mass Importer plugin (≤ 1.2). It allows authenticated admin users to upload a malicious PHP shell via a crafted ZIP file, leading to remote code execution.

Description

The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Exploits (3)

nomisec WORKING POC 3 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-4190

View Code ZIP pw:eip

This exploit targets CVE-2025-4190, an arbitrary file upload vulnerability in the WordPress CSV Mass Importer plugin (≤ 1.2). It allows authenticated admin users to upload a malicious PHP shell via a crafted ZIP file, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress CSV Mass Importer plugin ≤ 1.2

Auth required

Prerequisites: Valid WordPress admin credentials · CSV Mass Importer plugin ≤ 1.2 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by GadaLuBau1337 · poc

https://github.com/GadaLuBau1337/CVE-2025-4190

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-4190, targeting WordPress CSV Mass Importer ≤ 1.2. It allows admin users to upload arbitrary files via a crafted ZIP payload, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress CSV Mass Importer plugin ≤ 1.2

Auth required

Prerequisites: Valid WordPress admin credentials · CSV Mass Importer plugin installed and activated

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-4190

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-4190, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: target URL · malicious file to upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/e525ece5-6e03-4aee-bf5b-6ae0b961f027/

Scores

CVSS v3 7.2

EPSS 0.0049

EPSS Percentile 38.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

Status published

Products (1)

aleapp/csv_mass_importer < 1.2

Published May 17, 2025

Tracked Since Feb 18, 2026