Skip to content
Threat Feed
high advisory

Remote Code Execution in WP Ultimate CSV Importer WordPress Plugin

The WP Ultimate CSV Importer - WordPress Import & Export for CSV, XML & Excel plugin for WordPress, versions up to and including 8.0.1, is vulnerable to Remote Code Execution due to missing capability checks on specific AJAX handlers and exposure of the plugin's nonce, allowing authenticated attackers with subscriber-level access to execute arbitrary code on the server.

A critical remote code execution (RCE) vulnerability, identified as CVE-2026-13353, exists in the WP Ultimate CSV Importer - WordPress Import & Export for CSV, XML & Excel plugin for WordPress, affecting all versions up to and including 8.0.1. This flaw stems from a lack of capability checks on AJAX handlers for install_addon, saveMappedFields, and StartImport, coupled with the exposure of the plugin's nonce to any authenticated user. This combination allows authenticated attackers, even with low-privileged subscriber-level access, to leverage the vulnerability. By installing the Import WooCommerce add-on, injecting malicious PHP expressions into the MappedFields parameter, and triggering its evaluation via the eval() function within ImportHelpers::get_meta_values(), adversaries can achieve full remote code execution on the compromised server. This poses a significant risk to WordPress installations using the vulnerable plugin, potentially leading to website defacement, data exfiltration, or further network penetration.

Attack Chain

  1. An authenticated attacker, with subscriber-level access or higher, logs into the WordPress site.
  2. The attacker loads any administrative page to retrieve the plugin's nonce, which is exposed to all authenticated users.
  3. The attacker sends an AJAX request to the install_addon handler, bypassing capability checks due to the vulnerability, to install the Import WooCommerce add-on.
  4. The attacker sends another AJAX request to the saveMappedFields handler, also lacking proper capability checks, to inject and persist attacker-controlled PHP expressions into the MappedFields parameter.
  5. The attacker initiates an import process by sending a request to the StartImport AJAX handler.
  6. The StartImport handler, lacking capability checks, processes the request, which subsequently calls ImportHelpers::get_meta_values().
  7. The eval() function within ImportHelpers::get_meta_values() evaluates the previously injected PHP expressions.
  8. The attacker's PHP code is executed on the server, resulting in remote code execution and full control over the compromised WordPress installation.

Impact

Successful exploitation of CVE-2026-13353 leads to arbitrary remote code execution on the affected WordPress server. This allows attackers to completely compromise the website, leading to potential data breaches, website defacement, injection of malicious content, or further penetration into the hosting environment. Organizations using the vulnerable plugin could face significant financial and reputational damage due to loss of data integrity, confidentiality, and availability. The vulnerability has a CVSS v3.1 Base Score of 8.8 (High), indicating a severe risk.

Recommendation

  • Patch CVE-2026-13353 by updating the WP Ultimate CSV Importer - WordPress Import & Export for CSV, XML & Excel plugin to a version higher than 8.0.1 immediately.
  • Deploy the Sigma rule "Detects CVE-2026-13353 Exploitation - RCE via WP Ultimate CSV Importer Plugin" to your SIEM for detection of exploitation attempts.
  • Monitor web server logs (category webserver) for suspicious requests to admin-ajax.php containing action=install_addon, action=saveMappedFields, or action=StartImport alongside potential PHP code in the MappedFields parameter.

Detection coverage 1

Detects CVE-2026-13353 Exploitation - RCE via WP Ultimate CSV Importer Plugin

high

Detects CVE-2026-13353 exploitation attempts where authenticated attackers abuse specific AJAX handlers in the WP Ultimate CSV Importer plugin to inject and execute PHP code via the 'MappedFields' parameter.

sigma tactics: execution, initial_access techniques: T1059.008, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →