WordPress Plugin Vulnerabilities

WP Ultimate CSV Importer < 7.9.9 - Author+ Privilege Escalation

Description

The plugin does not validate User Metadata, which could allow author and above roles who have been granted access to the plugin settings to update their role to administrator

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.9.9

References

CVE
CVE-2023-4140

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
d0ba5f6f-0563-4103-ac73-f0ea2108d970

Timeline

Publicly Published
2023-08-03 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-07-22
Title
Social Streams <= 1.2.1 - Subscriber+ Privilege Escalation
Published
2025-04-23
Title
Frontend Login and Registration Blocks < 1.0.9 - Subscriber+ Privilege Escalation via Password Reset
Published
2026-01-12
Title
User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset
Published
2025-11-06
Title
IDonate 2.1.5 - 2.1.9 - Subscriber+ Account Takeover/Privilege Escalation
Published
2026-04-15
Title
Barcode Scanner (+Mobile App) < 1.12.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication