CVE-2026-1317

Received Received - Intake

SQL Injection in WP Import Plugin Allows Data Exposure

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-18

Last Modified

2026-02-18

Generated

2026-06-16

AI Q&A

2026-02-18

EPSS Evaluated

2026-06-15

NVD

CVE-2026-1317

EUVD

EUVD-2026-7919

Affected Vendors & Products

Vendor	Product	Version / Range
wp_ultimate_csv_importer	wp_ultimate_csv_importer	to 7.37 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Detection Guidance

The vulnerability involves SQL Injection via the `file_name` parameter during file uploads in the WP Import – Ultimate CSV XML Importer plugin for WordPress. Detection would involve monitoring for suspicious SQL queries or unusual database activity related to this parameter.

Since the vulnerability requires authenticated access with Subscriber-level or higher and the 'Single Import/Export' option enabled, detection can focus on monitoring file upload events and analyzing filenames for SQL injection patterns.

No explicit detection commands or tools are provided in the available resources.

Executive Summary

The WP Import – Ultimate CSV XML Importer for WordPress plugin is vulnerable to SQL Injection in all versions up to and including 7.37. This vulnerability arises because the plugin does not properly escape the `file_name` parameter, which is stored in the database during file uploads and later used in raw SQL queries without proper sanitization.

As a result, authenticated attackers with Subscriber-level access or higher can exploit this flaw by crafting malicious filenames that append additional SQL queries to existing ones. This can lead to unauthorized extraction of sensitive information from the database.

The vulnerability can only be exploited when the 'Single Import/Export' option is enabled and the server is running a PHP version below 8.0.

Impact Analysis

This vulnerability allows an attacker with at least Subscriber-level access to perform SQL Injection attacks by manipulating the filename parameter during file uploads.

The impact includes the potential unauthorized extraction of sensitive information from the WordPress database, which could lead to data breaches or exposure of confidential data.

Since the attack requires authenticated access and specific plugin settings ('Single Import/Export' enabled) along with PHP versions below 8.0, the risk is limited to environments meeting these conditions.

Compliance Impact

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The vulnerability affects all versions up to and including 7.37 of the WP Ultimate CSV Importer plugin. Immediate mitigation involves updating the plugin to version 7.38 or later, which presumably addresses the issue.'}, {'type': 'paragraph', 'content': "Additionally, ensure that the 'Single Import/Export' option is disabled if possible, and restrict Subscriber-level users from uploading files until the update is applied."}, {'type': 'paragraph', 'content': 'Also, verify that the server is running PHP version 8.0 or higher, as the vulnerability only affects PHP versions below 8.0.'}] [1]

Hi! I’m here to help you understand CVE-2026-1317. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1317

SQL Injection in WP Import Plugin Allows Data Exposure

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart