GCVE - cpe:2.3:a:smackcoders:wp_import_–_ultimate_csv_xml_importer_for

Approved changes feed: RSS · Atom

cpe:2.3:a:smackcoders:wp_import_–_ultimate_csv_xml_importer_for_wordpress:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Smackcoders (`e878c6d9-526e-5971-b31d-cb731330415c`)
Product	Wp Import – Ultimate Csv Xml Importer For Wordpress (`53cfe9c1-9127-57db-a77e-453368fb0bee`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-1317`	vulnerable	2026-06-03 15:14:44.146551	WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name MEDIUM (6.5) The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0. Published: 2026-02-18T12:28:35.464Z Updated: 2026-04-08T17:34:58.859Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763 https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181 https://plugins.trac.wordpress.org/changeset/3445414	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-13145`	vulnerable	2026-06-03 14:58:45.608672	WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import HIGH (7.2) The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Published: 2025-11-19T05:45:13.217Z Updated: 2026-04-08T16:56:09.377Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116 https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-10057`	vulnerable	2026-06-03 14:58:33.481893	WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection HIGH (8.8) The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution. Published: 2025-09-17T05:18:45.276Z Updated: 2025-09-17T12:49:25.672Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/925af22b-a728-496e-a63a-5966347ebe6c?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.25/importExtensions/ImportHelpers.php#L585 https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/uploadModules/DesktopUpload.php https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-10040`	vulnerable	2026-06-03 14:58:33.456386	WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure HIGH (7.7) The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials. Published: 2025-09-10T06:38:49.153Z Updated: 2026-04-08T17:11:19.923Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L231 https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Wp Import – Ultimate Csv Xml Importer For Wordpress

PURL mappings

Vulnerability references

Contribute