CVE-2026-1317
SQL Injection in WP Import Plugin Allows Data Exposure
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_ultimate_csv_importer | wp_ultimate_csv_importer | to 7.37 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves SQL Injection via the `file_name` parameter during file uploads in the WP Import β Ultimate CSV XML Importer plugin for WordPress. Detection would involve monitoring for suspicious SQL queries or unusual database activity related to this parameter.
Since the vulnerability requires authenticated access with Subscriber-level or higher and the 'Single Import/Export' option enabled, detection can focus on monitoring file upload events and analyzing filenames for SQL injection patterns.
No explicit detection commands or tools are provided in the available resources.
Can you explain this vulnerability to me?
The WP Import β Ultimate CSV XML Importer for WordPress plugin is vulnerable to SQL Injection in all versions up to and including 7.37. This vulnerability arises because the plugin does not properly escape the `file_name` parameter, which is stored in the database during file uploads and later used in raw SQL queries without proper sanitization.
As a result, authenticated attackers with Subscriber-level access or higher can exploit this flaw by crafting malicious filenames that append additional SQL queries to existing ones. This can lead to unauthorized extraction of sensitive information from the database.
The vulnerability can only be exploited when the 'Single Import/Export' option is enabled and the server is running a PHP version below 8.0.
How can this vulnerability impact me? :
This vulnerability allows an attacker with at least Subscriber-level access to perform SQL Injection attacks by manipulating the filename parameter during file uploads.
The impact includes the potential unauthorized extraction of sensitive information from the WordPress database, which could lead to data breaches or exposure of confidential data.
Since the attack requires authenticated access and specific plugin settings ('Single Import/Export' enabled) along with PHP versions below 8.0, the risk is limited to environments meeting these conditions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The vulnerability affects all versions up to and including 7.37 of the WP Ultimate CSV Importer plugin. Immediate mitigation involves updating the plugin to version 7.38 or later, which presumably addresses the issue.'}, {'type': 'paragraph', 'content': "Additionally, ensure that the 'Single Import/Export' option is disabled if possible, and restrict Subscriber-level users from uploading files until the update is applied."}, {'type': 'paragraph', 'content': 'Also, verify that the server is running PHP version 8.0 or higher, as the vulnerability only affects PHP versions below 8.0.'}] [1]