CVE-2026-1317

Name of the Vulnerable Software and Affected Versions WP Import – Ultimate CSV XML Importer for WordPress plugin versions prior to 7.38

Description The WP Import – Ultimate CSV XML Importer for WordPress plugin is susceptible to SQL Injection. This is caused by inadequate escaping of the file name parameter during file upload, which is then stored in the database and used in raw SQL queries without proper sanitization. An authenticated attacker with Subscriber-level access or higher can append SQL queries through a malicious filename. This can lead to the extraction of sensitive information from the database. The vulnerability is exploitable when the 'Single Import/Export' option is enabled and the server is running a PHP version less than 8.0.

Recommendations Update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.38 or later. Disable the 'Single Import/Export' option. Ensure the server is running PHP version 8.0 or higher.