cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwp-ultimate-csv-importer wp-ultimate-csv-importer

Direction: ascending
Jun 07, 2024

Import CSV or XML Datafeed With Ease # CVE-2018-20967

CVE, Research URL

CVE-2018-20967

Date
Aug 14, 2019
Research Description
The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
Affected versions
max 5.6.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-9306

CVE, Research URL

CVE-2015-9306

Date
Aug 12, 2019
Research Description
The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.
Affected versions
max 3.8.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3243

CVE, Research URL

CVE-2022-3243

Date
Oct 17, 2022
Research Description
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin
Affected versions
max 6.5.8.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-3244

CVE, Research URL

CVE-2022-3244

Date
Oct 17, 2022
Research Description
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce
Affected versions
max 6.5.8.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-1977

CVE, Research URL

CVE-2022-1977

Date
Jun 27, 2022
Research Description
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
Affected versions
max 6.5.3.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2022-0360

CVE, Research URL

CVE-2022-0360

Date
Feb 28, 2022
Research Description
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
Affected versions
max 6.4.3.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4142

CVE, Research URL

CVE-2023-4142

Date
Aug 04, 2023
Research Description
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.
Affected versions
max 7.9.9.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4139

CVE, Research URL

CVE-2023-4139

Date
Aug 04, 2023
Research Description
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
Affected versions
max 7.9.9.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4140

CVE, Research URL

CVE-2023-4140

Date
Aug 04, 2023
Research Description
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.
Affected versions
max 7.9.9.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2023-4141

CVE, Research URL

CVE-2023-4141

Date
Aug 04, 2023
Research Description
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
Affected versions
max 7.9.9.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2015-10125

CVE, Research URL

CVE-2015-10125

Date
Oct 06, 2023
Research Description
A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.
Affected versions
max 3.7.3.
Status
vulnerable
Apr 03, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-2007

CVE, Research URL

CVE-2025-2007

Date
Apr 01, 2025
Research Description
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Affected versions
max 7.20.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-2008

CVE, Research URL

CVE-2025-2008

Date
Apr 01, 2025
Research Description
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Affected versions
max 7.20.1.
Status
vulnerable
Oct 11, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-10057

CVE, Research URL

CVE-2025-10057

Date
Sep 17, 2025
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
Affected versions
Min 7.20, max 7.29.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-10040

CVE, Research URL

CVE-2025-10040

Date
Sep 10, 2025
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
Affected versions
max 7.28.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-10058

CVE, Research URL

CVE-2025-10058

Date
Sep 17, 2025
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions
max 7.28.
Status
vulnerable
Dec 10, 2025

Import CSV or XML Datafeed With Ease # CVE-2025-13145

CVE, Research URL

CVE-2025-13145

Date
Nov 19, 2025
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions
max 7.34.
Status
vulnerable

Import CSV or XML Datafeed With Ease # CVE-2025-12732

CVE, Research URL

CVE-2025-12732

Date
Nov 12, 2025
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Affected versions
max 7.33.1.
Status
vulnerable
Jan 09, 2026

Import CSV or XML Datafeed With Ease # CVE-2025-14627

CVE, Research URL

CVE-2025-14627

Date
Jan 01, 2026
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Affected versions
max 7.36.
Status
vulnerable
Apr 15, 2026

Import CSV or XML Datafeed With Ease # CVE-2026-1317

CVE, Research URL

CVE-2026-1317

Date
Feb 18, 2026
Research Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.
Affected versions
max 7.38.
Status
vulnerable
Jun 16, 2026

Import CSV or XML Datafeed With Ease # 35a4b75e5c5347dd75d8571a66f7e6334636baf0

Date
Feb 22, 2015
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.6.75 WordPress Ultimate CSV Importer Plugin <= 3.6.74 Information Disclosure Because of this vulnerability, remote attackers can disclose usernames, hashed passwords and email addresses for all users. Update the plugin.
Affected versions
max 3.6.75.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 79f7431831f08b32ac167aa67b14bf1b6065413f

Date
Jan 12, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 WP Ultimate CSV Importer <= 6.4.0 - Arbitrary File Upload The WP Ultimate CSV Importer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip_upload AJAX call in versions up to, and including, 6.4.0. This makes it possible for subscriber-level attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # a375e8173ddeb78895d04d4b4c07bb768004d58c

Date
Jan 27, 2018
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.8.8 Import Export All WordPress Images, Users & Post Types <= 3.8.7 - Reflected Cross-Site Scripting The Import Export All WordPress Images, Users & Post Types plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘alertmsg’ parameter in versions up to, and including, 3.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 3.8.8.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 04be56e9c4cefde64ca65d58048c3f8777614b39

Date
Jan 27, 2016
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.8.8 WordPress Ultimate CSV Importer Plugin <= 3.8.6 - Reflected Cross Site Scripting This plugin is prone to a cross site scripting vulnerability, because "alertmsg" parameter is not sanitized. Update the plugin.
Affected versions
max 3.8.8.
Status
vulnerable

Import CSV or XML Datafeed With Ease # abe2aee4880269259229c836bb46574d9acc8e3f

Date
Jan 17, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.2 Import all XML, CSV & TXT into WordPress < 6.4.2 - Missing Authorization The Import all XML, CSV & TXT into WordPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the disable_main_mode function in versions up to, and including, 6.4.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary site options.
Affected versions
max 6.4.2.
Status
vulnerable

Import CSV or XML Datafeed With Ease # c43cfb3ba18b8043e62be4c1cdc99c468a4bfb0c

Date
Jan 12, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 WordPress WP Ultimate CSV Importer plugin <= 6.4 - Arbitrary File Upload vulnerability Arbitrary File Upload vulnerability discovered in WordPress WP Ultimate CSV Importer plugin (versions <= 6.4).
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # a7b79211664ac6b46269ced6e6e0d3bab510a026

Date
Jan 12, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 WordPress WP Ultimate CSV Importer plugin <= 6.4 - Arbitrary Media File Deletion vulnerability Arbitrary Media File Deletion vulnerability (restricted to the uploads folder of the current year/month) discovered in WordPress WP Ultimate CSV Importer plugin (versions <= 6.4).
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 70c9df91b77f1c8411884c8ac5a197c0f36f58ec

Date
Apr 27, 2015
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.7.1 WordPress Ultimate CSV Importer Plugin <= 3.7.0 - Directory Traversal Because of this vulnerability, the attackers can read files on the filesystem without authorization. Update the plugin.
Affected versions
max 3.7.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # adf319f8d6673b9cfcd537ded704e0028f0a0419

Date
Jan 12, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 Easy Drag And drop All Import : WP Ultimate CSV Importer < 6.4.1 - Missing Authorization Checks The WP Ultimate CSV Importer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions like upload_function(), display_log(), download_log(), display_csv_values(), etc... in versions up to 6.4.1. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to perform many unauthorized actions and retrieve sensitive data.
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # e83756f83da21662f00f62dd942c3653938c2302

Date
Jan 17, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.2 WordPress WP Ultimate CSV Importer plugin <= 6.4.1 - Arbitrary Option Deletion vulnerability Arbitrary Option Deletion vulnerability discovered by WPScanTeam in WordPress WP Ultimate CSV Importer plugin (versions <= 6.4.1).
Affected versions
max 6.4.2.
Status
vulnerable

Import CSV or XML Datafeed With Ease # d85eb92247d5c34381644023b5dcce90d9d9d6d1

Date
Jan 12, 2022
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 WordPress WP Ultimate CSV Importer plugin <= 6.4 - Plugin Settings Update vulnerability Plugin Settings Update vulnerability discovered in WordPress WP Ultimate CSV Importer plugin (versions <= 6.4).
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 5c64c2c35f1ce619d7c608c8987d92af2239c980

Date
Apr 27, 2015
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.7.1 WP Ultimate CSV Importer <= 3.7 - Arbitrary File Read The WP Ultimate CSV Importer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the templates/readfile.php file in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to read any files on the vulnerable service that PHP has access to.
Affected versions
max 3.7.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 0f07e48bdf63a50afbb2b97f39737f8ade1089b0

Date
Feb 22, 2015
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.6.75 Ultimate CSV Importer < 3.6.75 - Information Disclosure The Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 3.6.74 via the modules/export/templates/export.php file. This can allow unauthenticated attackers to extract sensitive data including emails, passwords and usernames.
Affected versions
max 3.6.75.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 06a98f51-e581-4e42-8287-7c18254d100c

Date
-
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.2 WP Ultimate CSV Importer &lt; 6.4.2 - Subscriber+ Arbitrary Option Deletion The plugin does not have authorisation and CSRF checks when deleting options via the disable_main_mode AJAX action, and does not ensure that the option to be delete belong to the plugin. As a result, any authenticated user, such as subscriber, could delete arbitrary options from the blog
Affected versions
max 6.4.2.
Status
vulnerable

Import CSV or XML Datafeed With Ease # fc4865d1-00b9-4594-99d2-e2a3fc0d3951

Date
-
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.6.75 WP Ultimate CSV Importer &lt;= 3.6.74 - Database Table Export Due to lack of verification of a visitors permissions, it is possible to execute the &lsquo;export.php&rsquo; script included in the default installation of this plugin, and retrieve the full contents of the user table in the WordPress installation. This results in full disclosure of usernames, hashed passwords and email addresses for all users. After update 3.6.74, a change to the &lsquo;export.php&rsquo; script was made, which required a REFERER header to be passed through in the request. After this header is added (as in the second PoC), the behaviour is exactly the same, resulting in full disclosure of usernames, hashed passwords and email addresses for all users.
Affected versions
max 3.6.75.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 64bd22e2-ea38-4b6f-be54-e81f9e77bdc2

Date
-
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 6.4.1 WP Ultimate CSV Importer &lt; 6.4.1 - Subscriber+ Arbitrary File Upload The plugin does not have authorisation and CSRF checks when uploading zip files via the zip_upload AJAX call, and does not perform any check on the files to be extracted. As a result, any authenticated user, such as subscriber could upload an archive with PHP files in it, leading to RCE
Affected versions
max 6.4.1.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 1d10d116-3dda-41d4-a6f4-66d300385003

Date
-
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.8.8 WP Ultimate CSV Importer &lt;= 3.8.6 - Reflected Cross-Site Scripting (XSS) The Import and Export WordPress Data as CSV or XML WordPress plugin was affected by a Reflected Cross-Site Scripting (XSS) security vulnerability.
Affected versions
max 3.8.8.
Status
vulnerable

Import CSV or XML Datafeed With Ease # 81b7680a-c0b5-4e57-ba27-da07c2714679

Date
-
Research Description
WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel [wp-ultimate-csv-importer] < 3.7.1 WP Ultimate CSV Importer &lt; 3.7.1 - Directory Traversal The Import and Export WordPress Data as CSV or XML WordPress plugin was affected by a Directory Traversal security vulnerability.
Affected versions
max 3.7.1.
Status
vulnerable
Jul 11, 2026

Import CSV or XML Datafeed With Ease # CVE-2026-13353

CVE, Research URL

CVE-2026-13353

Date
Jul 11, 2026
Research Description
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
Affected versions
max 8.1.
Status
vulnerable