Vulnerabilities and security researches forwp-ultimate-csv-importer wp-ultimate-csv-importer

Direction: ascending

Jun 07, 2024

Import CSV or XML Datafeed With Ease # CVE-2018-20967

CVE, Research URL: CVE-2018-20967
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 14, 2019
Research Description: The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
Affected versions: max 5.6.1.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-9306

CVE, Research URL: CVE-2015-9306
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 12, 2019
Research Description: The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.
Affected versions: max 3.8.1.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3243

CVE, Research URL: CVE-2022-3243
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 17, 2022
Research Description: The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin
Affected versions: max 6.5.8.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3244

CVE, Research URL: CVE-2022-3244
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 17, 2022
Research Description: The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce
Affected versions: max 3.6.75.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-1977

CVE, Research URL: CVE-2022-1977
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Jun 27, 2022
Research Description: The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
Affected versions: max 3.7.1.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-0360

CVE, Research URL: CVE-2022-0360
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Feb 28, 2022
Research Description: The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
Affected versions: max 6.4.3.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4142

CVE, Research URL: CVE-2023-4142
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.
Affected versions: max 7.9.9.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4139

CVE, Research URL: CVE-2023-4139
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
Affected versions: max 7.9.9.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4140

CVE, Research URL: CVE-2023-4140
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
Affected versions: max 7.9.9.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4141

CVE, Research URL: CVE-2023-4141
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Aug 04, 2023
Research Description: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
Affected versions: max 3.8.8.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-10125

CVE, Research URL: CVE-2015-10125
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Oct 06, 2023
Research Description: A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.
Affected versions: max 3.7.3.
Status: vulnerable

Apr 03, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-2007

CVE, Research URL: CVE-2025-2007
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Apr 01, 2025
Research Description: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: max 7.20.1.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-2008

CVE, Research URL: CVE-2025-2008
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Apr 01, 2025
Research Description: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 7.20.1.
Status: vulnerable

Oct 11, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-10057

CVE, Research URL: CVE-2025-10057
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Sep 17, 2025
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
Affected versions: Min 7.20, max 7.29.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-10040

CVE, Research URL: CVE-2025-10040
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Sep 10, 2025
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
Affected versions: max 7.28.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-10058

CVE, Research URL: CVE-2025-10058
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Sep 17, 2025
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: max 7.28.
Status: vulnerable

Dec 10, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-13145

CVE, Research URL: CVE-2025-13145
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Nov 19, 2025
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: max 7.34.
Status: vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-12732

CVE, Research URL: CVE-2025-12732
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Nov 12, 2025
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Affected versions: max 7.33.1.
Status: vulnerable

Jan 09, 2026

Import CSV or XML Datafeed With Ease # CVE-2025-14627

CVE, Research URL: CVE-2025-14627
Home page URL: Security reports for Import CSV or XML Datafeed With Ease
Application: Import CSV or XML Datafeed With Ease
Date: Jan 01, 2026
Research Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Affected versions: max 7.36.
Status: vulnerable