20,000 WordPress Sites at Risk of File Upload & Deletion Exploits

**Executive summary:** Two high-severity vulnerabilities (CVE-2025-2008: arbitrary file upload enabling remote code execution; CVE-2025-2007: arbitrary file deletion allowing destruction of critical files like wp-config.php) were found in the WP Ultimate CSV Importer plugin (≈20,000 active installs); both received high CVSS scores and were patched in v7.19.1 on 2025-03-25—site administrators are strongly urged to update immediately and verify no compromise.