WordPress Plugin Vulnerabilities

WP Ultimate CSV Importer < 7.9.9 - Author+ RCE

Description

The plugin does not validate imported files, which could allow authors and above roles who have been granted access to the plugin settings to perform RCE.

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.9.9

References

CVE
CVE-2023-4141
CVE
CVE-2023-4142

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
d9d7c44e-1300-441b-83e3-d23aecc0dfec

Timeline

Publicly Published
2023-08-03 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2019-06-11
Title
Insert or Embed Articulate Content into WordPress < 4.2999 - Unauthenticated RCE
Published
2025-09-26
Title
XStore < 9.6 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-11-19
Title
WooCommerce Product Table Lite < 3.8.7 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Published
2026-03-02
Title
tagDiv Composer <= 5.4.3 - Unauthenticated Arbitrary Shortcode Execution
Published
2015-10-23
Title
Form Manager <= 1.7.2 - Authenticated Remote Command Execution (RCE)