Skip to main content

Wp Ultimate Csv Importer Wordpress Import Export For Csv Xml Excel

1 CVEs product

Monthly

CVE-2026-13353 HIGH This Week

Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.

Code Injection WordPress PHP RCE Wp Ultimate Csv Importer Wordpress Import Export For Csv Xml Excel
NVD
CVSS 3.1
8.8
EPSS
0.4%
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.

Code Injection WordPress PHP +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy