PT-2026-20385 · WordPress · Wp Import – Ultimate Csv Xml Importer For Wordpress
Dieu Link
+1
·
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2026-1317
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP Import – Ultimate CSV XML Importer for WordPress plugin versions prior to 7.38
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin is susceptible to SQL Injection. This is caused by inadequate escaping of the
file name parameter during file upload, which is then stored in the database and used in raw SQL queries without proper sanitization. An authenticated attacker with Subscriber-level access or higher can append SQL queries through a malicious filename. This can lead to the extraction of sensitive information from the database. The vulnerability is exploitable when the 'Single Import/Export' option is enabled and the server is running a PHP version less than 8.0.Recommendations
Update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.38 or later.
Disable the 'Single Import/Export' option.
Ensure the server is running PHP version 8.0 or higher.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Import – Ultimate Csv Xml Importer For Wordpress