Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total7
Critical0
High4
Medium3
Reset
Showing 1-7 of 7 records
Threat Entry Updated 2026-04-15

CVE-2026-1317 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the…

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2026-1317

MEDIUM CVSS 6.5 2026-02-18
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14627 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform…

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-14627

MEDIUM CVSS 6.4 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2025-11-19

CVE-2025-13145 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve…

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-13145

HIGH CVSS 7.2 2025-11-19
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12732 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-12732

MEDIUM CVSS 4.3 2025-11-12
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10058 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-10058

HIGH CVSS 8.1 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10057 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-10057

HIGH CVSS 8.8 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-10040 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-10040

HIGH CVSS 7.7 2025-09-10
Open Full Technical Breakdown
Scroll to top