CVE-2026-13353
Smackcoders · WP Ultimate CSV Importer
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to authenticated Remote Code Execution, allowing attackers with low-level privileges to inject and execute arbitrary code.
Executive summary
An authenticated Remote Code Execution vulnerability in the WP Ultimate CSV Importer plugin poses a critical risk to WordPress site integrity.
Vulnerability
The plugin is susceptible to CWE-94 (Code Injection) due to improper control of code generation. An attacker with authenticated access (low-privileged user) can leverage this flaw to execute arbitrary code on the underlying server.
Business impact
Successful exploitation allows an attacker to achieve full remote code execution, leading to complete site compromise, data theft, and potential lateral movement within the hosting environment. With a CVSS score of 8.8, this vulnerability is classified as High severity and represents a significant threat to organizational data confidentiality and system availability.
Remediation
Immediate Action: Update the WP Ultimate CSV Importer plugin to the latest version immediately to patch the injection vulnerability.
Proactive Monitoring: Monitor server logs for unusual file creation or unexpected execution patterns originating from the plugin’s directory.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter malicious input patterns that attempt to trigger code injection sequences.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the severity of potential remote code execution, administrators must prioritize updating this plugin across all WordPress instances. If an immediate update is not feasible, restrict plugin access to trusted administrative accounts or disable the plugin until a patch is applied to mitigate the risk of compromise.