CVE-2026-13430: WordPress Post Export Import with Media Plugin Arbitrary File Upload Leading to RCE
A high-severity arbitrary file upload vulnerability, CVE-2026-13430, exists in all versions up to 1.13.1 of the Post Export Import with Media plugin for WordPress, allowing authenticated administrators to upload executable web shells via a trailing-dot filename bypass, leading to remote code execution.
A critical vulnerability, tracked as CVE-2026-13430, has been identified in the "Post Export Import with Media" plugin for WordPress, impacting all versions up to, and including, 1.13.1. This flaw stems from insufficient file extension validation within the import_media_file_secure function, specifically exploiting a trailing-dot filename bypass. Attackers can craft a ZIP archive containing a malicious PHP file (e.g., shell.php.), which, when processed by the ajax_import_media_start() function, circumvents the extension allow-list check due to how pathinfo() handles the trailing dot. The file is initially extracted to a temporary location and subsequently copied to the WordPress uploads directory without re-validation, making it accessible as an executable web shell. This allows authenticated attackers with administrator-level access to achieve remote code execution on the compromised WordPress server.
Attack Chain
- An attacker obtains valid administrator-level credentials for a WordPress site running the vulnerable "Post Export Import with Media" plugin.
- The attacker crafts a ZIP archive containing a malicious PHP web shell (e.g.,
shell.php.) with a trailing dot in its filename. - The attacker logs into the WordPress administration panel and initiates a media import process via the vulnerable plugin, uploading the crafted ZIP archive.
- The plugin's
ajax_import_media_start()function processes the ZIP entry; thepathinfo()function, when encountering the trailing dot (e.g.,shell.php.), returns an empty string for the file extension. - This empty extension bypasses the plugin's allow-list validation check, treating the malicious PHP file as a benign file type.
- The PHP web shell is extracted to a temporary directory on the web server.
- The
import_media_file_secure()function copies the extracted web shell from the temporary location to the/wp-content/uploads/directory without performing further extension re-validation. - The attacker browses to the newly uploaded web shell (e.g.,
https://example.com/wp-content/uploads/shell.php), gaining remote code execution on the web server and potentially full system compromise.
Impact
Successful exploitation of CVE-2026-13430 allows an authenticated attacker with administrator privileges to achieve remote code execution on the WordPress server. This can lead to complete compromise of the website, including defacement, data theft from the database, further network pivot within the hosting environment, or use of the server for malicious activities such as hosting malware or launching attacks against other systems. The widespread use of WordPress and its plugins means many organizations could be exposed if they do not promptly patch this vulnerability.
Recommendation
- Immediately update the "Post Export Import with Media" plugin to a patched version once available to address CVE-2026-13430.
- Deploy the provided Sigma rule to detect post-exploitation web shell access within your WordPress uploads directory.
- Configure web application firewall (WAF) rules to inspect uploaded files for suspicious content and extensions, specifically blocking uploads of PHP files into media directories.
- Regularly review administrator accounts on your WordPress installations for any unauthorized or suspicious activity.
Detection coverage 1
Detect CVE-2026-13430 Exploitation - Web Shell Access in WordPress Uploads
highDetects access to PHP files within the WordPress wp-content/uploads directory, which typically indicates a successful web shell upload via arbitrary file upload vulnerabilities like CVE-2026-13430.
Detection queries are available on the platform. Get full rules →