Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
WordPress Plugin Allows Attackers to Access Sensitive Data
CVE-2026-1317
Summary
A security issue in the WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress allows attackers with subscriber-level access or higher to access sensitive data. This can happen when the plugin is used to import files with carefully crafted names. To fix this, update the plugin to version 7.38 or later.
Original title
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `...
Original description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/ma...
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/up...
- https://plugins.trac.wordpress.org/changeset/3445414
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026