Vulnerabilities and security researches forwp-ultimate-csv-importer wp-ultimate-csv-importer

Direction: ascending

Jun 07, 2024

Import CSV or XML Datafeed With Ease # CVE-2018-20967

CVE, Research URL: CVE-2018-20967
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 14, 2019
Research Description: The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-9306

CVE, Research URL: CVE-2015-9306
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 12, 2019
Research Description: The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3243

CVE, Research URL: CVE-2022-3243
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 17, 2022
Research Description: The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3244

CVE, Research URL: CVE-2022-3244
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 17, 2022
Research Description: The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-1977

CVE, Research URL: CVE-2022-1977
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Jun 27, 2022
Research Description: The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-0360

CVE, Research URL: CVE-2022-0360
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Feb 28, 2022
Research Description: The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4142

CVE, Research URL: CVE-2023-4142
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4139

CVE, Research URL: CVE-2023-4139
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4140

CVE, Research URL: CVE-2023-4140
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4141

CVE, Research URL: CVE-2023-4141
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-10125

CVE, Research URL: CVE-2015-10125
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 06, 2023
Research Description: A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.
Affected versions: Min -, max -.
Status: vulnerable

Apr 03, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-2007

CVE, Research URL: CVE-2025-2007
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Apr 01, 2025
Research Description: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: Min -, max -.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-2008

CVE, Research URL: CVE-2025-2008
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Apr 01, 2025
Research Description: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable