Remote Code Execution in WP Ultimate CSV Importer Plugin by WP
CVE-2026-13353

8.8HIGH

What is CVE-2026-13353?

The WP Ultimate CSV Importer plugin for WordPress suffers from a Remote Code Execution vulnerability affecting all versions up to 8.0.1. The issue arises from inadequate capability checks on critical AJAX handlers, such as install_addon and saveMappedFields. Authenticated users with subscriber-level access can execute arbitrary PHP code by manipulating the MappedFields parameter. This flaw allows the installation of the Import WooCommerce add-on, which can lead to malicious expressions being processed by the server via the eval() function in ImportHelpers::get_meta_values().

Affected Version(s)

WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel 0 <= 8.0.1

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo
.