Remote Code Execution in WP Ultimate CSV Importer Plugin by WP
CVE-2026-13353
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-13353?
The WP Ultimate CSV Importer plugin for WordPress suffers from a Remote Code Execution vulnerability affecting all versions up to 8.0.1. The issue arises from inadequate capability checks on critical AJAX handlers, such as install_addon and saveMappedFields. Authenticated users with subscriber-level access can execute arbitrary PHP code by manipulating the MappedFields parameter. This flaw allows the installation of the Import WooCommerce add-on, which can lead to malicious expressions being processed by the server via the eval() function in ImportHelpers::get_meta_values().
Affected Version(s)
WP Ultimate CSV Importer β WordPress Import & Export for CSV, XML & Excel 0 <= 8.0.1