CVE-2023-4141

Name of the Vulnerable Software and Affected Versions WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8

Description The issue allows authenticated attackers with author-level permissions or above to execute code on the server via the ->cus2 parameter, enabling them to create a PHP file. This is possible if the administrator previously grants access in the plugin settings.

Recommendations For WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8, the author resolved this issue by removing the ability for authors and editors to import files. However, site administrators can still create PHP files, so use the plugin with caution.