CVE-2026-13430
Received Received - Intake

Arbitrary File Upload in Post Export Import with Media WordPress Plugin

Vulnerability report for CVE-2026-13430, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name (e.g., 'shell.php.'), which returns an empty string for the extension, causing the allow-list guard to be skipped and the file to be extracted to a temporary location, after which import_media_file_secure() copies it into the WordPress uploads directory without re-validating the extension. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress post_export_import_with_media to 1.13.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Post Export Import with Media plugin for WordPress has a vulnerability in versions up to and including 1.13.1 that allows arbitrary file uploads. This happens because the plugin's import_media_file_secure function does not properly validate file extensions due to a trailing-dot filename bypass. Specifically, the extension allow-list check uses pathinfo() on the raw ZIP entry name, which returns an empty string for filenames ending with a dot (e.g., 'shell.php.'). This causes the allow-list check to be skipped, allowing potentially dangerous files to be extracted and copied into the WordPress uploads directory without proper validation.

As a result, authenticated users with administrator-level access or higher can upload files that may be executable, enabling remote code execution on the affected WordPress site.

Impact Analysis

This vulnerability can have severe impacts because it allows authenticated administrators to upload arbitrary files that may be executable. This can lead to remote code execution, meaning an attacker could run malicious code on your WordPress server.

  • Compromise of the website and server integrity.
  • Potential unauthorized access to sensitive data.
  • Defacement or disruption of website services.
  • Use of the server as a launch point for further attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart