Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1317 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the…
PLUGIN
Wp Ultimate Csv Importer
CVE-2026-1317
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14627 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform…
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-14627
Risk Score
Threat Entry
Updated 2025-11-19
CVE-2025-13145 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve…
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-13145
Risk Score
Threat Entry
Updated 2025-11-12
CVE-2025-12732 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-12732
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10058 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-10058
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10057 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-10057
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10040 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-10040
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4142 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4142
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4141 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4140 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4140
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4139 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4139
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0360 - Wp Ultimate Csv Importer Plugin
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
PLUGIN
Wp Ultimate Csv Importer
CVE-2022-0360
Risk Score