CVE-2025-6086 – CSV Me <= 2.0 - Authenticated (Administrator+) Arbitrary File Upload

https://notcve.org/view.php?id=CVE-2025-6086

17 Jun 2025 — The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/csv-me/trunk/csv_me_index.php#L49 • CWE-434: Unrestricted Upload of File with Dangerous Type •