CVE-2026-13353 in WP Ultimate CSV Importer Plugininfo

Summary

by MITRE • 07/11/2026

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/11/2026

The WP Ultimate CSV Importer plugin presents a critical remote code execution vulnerability affecting versions through 8.0.1 that stems from insufficient access control mechanisms within its AJAX handler endpoints. The vulnerability specifically targets three key functions: install_addon, saveMappedFields, and StartImport which lack proper capability checks to verify user permissions before executing sensitive operations. This architectural flaw creates a pathway for authenticated attackers with subscriber-level privileges to escalate their privileges and execute arbitrary code on the target server.

The technical exploitation mechanism relies on the exposure of plugin nonces to authenticated users who can access admin pages, a critical design weakness that undermines the security model. Attackers can leverage this nonce exposure to install the Import WooCommerce add-on, which serves as a vehicle for code injection. The vulnerability becomes particularly dangerous when combined with the MappedFields parameter handling, where attacker-controlled PHP expressions can be persistently stored and later evaluated through the eval() function in ImportHelpers::get_meta_values(). This chaining of vulnerabilities allows for persistent code execution within the WordPress environment.

The operational impact of this vulnerability extends beyond simple privilege escalation to full server compromise, as subscribers can execute arbitrary PHP code with the privileges of the web server. This creates a significant threat vector for attackers seeking to establish persistent access, steal data, or deploy additional malicious payloads. The vulnerability affects all WordPress installations running the affected plugin version, making it particularly concerning given the widespread use of this import tool across various websites and applications.

Mitigation strategies should focus on immediate patching to versions beyond 8.0.1 where the capability checks have been properly implemented. Organizations should also implement network-level restrictions to limit access to administrative endpoints and consider monitoring for unusual AJAX requests related to plugin functionality. The vulnerability aligns with CWE-284 Access Control Issues and maps to ATT&CK technique T1078 Valid Accounts, as it requires only legitimate user credentials to exploit. Additionally, this weakness demonstrates characteristics of T1546 Event Triggering which relates to the persistence mechanisms enabled by the code execution capability, making it a comprehensive threat requiring multi-layered defensive measures including proper input validation, output encoding, and principle of least privilege enforcement for all plugin operations.

Responsible

Wordfence

Reservation

06/25/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!