{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1317", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T23:41:23.912Z", "datePublished": "2026-02-18T12:28:35.464Z", "dateUpdated": "2026-04-08T17:34:58.859Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:58.859Z"}, "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.37", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0."}], "title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445414"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dieu Link"}, {"lang": "en", "type": "finder", "value": "GCSC Vietnam"}], "timeline": [{"time": "2026-01-21T23:58:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:23:58.469471Z", "id": "CVE-2026-1317", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:24:06.821Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1317", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:23:58.469471Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:24:03.645Z"}}], "cna": {"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name", "credits": [{"lang": "en", "type": "finder", "value": "Dieu Link"}, {"lang": "en", "type": "finder", "value": "GCSC Vietnam"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "smackcoders", "product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.37"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-21T23:58:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181"}, {"url": "https://plugins.trac.wordpress.org/changeset/3445414"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T12:28:35.464Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1317", "state": "PUBLISHED", "dateUpdated": "2026-02-18T20:24:06.821Z", "dateReserved": "2026-01-21T23:41:23.912Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T12:28:35.464Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0."}, {"lang": "es", "value": "El plugin de WordPress WP Import \u2013 Ultimate CSV XML Importer para WordPress es vulnerable a inyecci\u00f3n SQL en todas las versiones hasta la 7.37 (inclusive). Esto se debe a un escape insuficiente en el par\u00e1metro 'file_name', que se almacena en la base de datos durante la carga de archivos y se utiliza posteriormente en consultas SQL sin procesar sin una sanitizaci\u00f3n adecuada. Esto permite a atacantes autenticados con acceso de nivel Suscriptor o superior a\u00f1adir consultas SQL adicionales a consultas ya existentes a trav\u00e9s de un nombre de archivo malicioso, lo que puede utilizarse para extraer informaci\u00f3n sensible de la base de datos. La vulnerabilidad solo puede explotarse cuando la opci\u00f3n 'Single Import/Export' est\u00e1 habilitada y el servidor est\u00e1 ejecutando una versi\u00f3n de PHP &lt; 8.0."}], "id": "CVE-2026-1317", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T13:16:20.167", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3445414"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.37]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress", "source": "cna", "vendor": "smackcoders"}, "product": "wp_import_\u2013_ultimate_csv_xml_importer_for_wordpress", "vendor": "smackcoders"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:04:48.110504+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Ultimate CSV Importer plugin to version 7.38 or later to remove the unsanitized file_name handling.", "Disable the Single Import/Export feature or restrict file uploads to administrator roles to prevent misuse of the vulnerable parameter.", "Upgrade the server to PHP 8.0 or newer, or ensure the plugin is updated for compatibility with current PHP versions."], "summary": {"action": "Immediate Patch", "impact": "SQL injection that may expose or alter WordPress database data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the smackcoders WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress plugin, versions up to and including 7.37. It is only exploitable when the Single Import/Export option is enabled and the server is running PHP 7.x or older.", "description_and_impact": "The WP Ultimate CSV Importer plugin for WordPress has an insufficiently escaped file_name parameter stored in the database and later used in raw SQL queries. This flaw is a classic SQL injection (CWE\u201189) that allows authenticated users with Subscriber or higher roles to append arbitrary SQL statements when a file is uploaded. The attacker can extract sensitive information or modify database contents, potentially compromising the integrity and confidentiality of the site.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1%, suggesting a relatively low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated subscriber-level user and the plugin\u2019s single import/export functionality, which limits the attack surface but still permits data extraction or modification. No public exploits have been reported, but the flaw remains active in all affected plugin releases."}}}}, "created": "2026-02-19T10:20:15.133348+00:00", "updated": "2026-04-15T17:30:10.430878+00:00", "vendors": ["smackcoders", "smackcoders$PRODUCT$wp_import_\u2013_ultimate_csv_xml_importer_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}