WordPress 4.9.9 as well as 5.0.1 and ALL the “security patch releases” back to 3.7 now have a new CSV file management bug. Any CSV file that is uploaded is rejected by WordPress due to a security violation.
The Quick Fix
Add this to your wp-config.php file:
define(‘ALLOW_UNFILTERED_UPLOADS’, true);
Yes, this will effectively disable all those cool new “security features” in the latest release of WordPress but it also will get your CSV imports working again. Just remember to take this out when WordPress 4.9.10 (or 5.0.2) comes out — assuming they deem this new “security feature” a bug and patch it accordingly.