WordPress Plugin Vulnerabilities

WP Import – Ultimate CSV XML Importer for WordPress < 7.38 - Authenticated (Subscriber+) SQL Injection via File Name

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.38

References

CVE
CVE-2026-1317
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dieu Link, GCSC Vietnam
Verified
No
WPVDB ID
d5b3d1e6-731f-408e-b278-411b22a12174

Timeline

Publicly Published
2026-02-17 (about 1 month ago)
Added
2026-02-18 (about 1 month ago)
Last Updated
2026-02-18 (about 1 month ago)

Other

Published
Title
Published
2022-11-07
Title
HTML Forms < 1.3.25 - Admin+ SQLi
Published
2025-04-04
Title
uListing <= 2.2.0 - Admin+ SQL Injection
Published
2025-05-16
Title
CountDown Pro WP Plugin <= 2.7 - Authenticated (Contributor+) SQL Injection
Published
2020-07-18
Title
Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()
Published
2022-12-09
Title
Cryptocurrency Widgets Pack < 2.0 - Unauthenticated SQLi