{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wp-ultimate-csv-importer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-13353"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Ultimate CSV Importer – WordPress Import \u0026 Export for CSV, XML \u0026 Excel plugin (\u003c= 8.0.1)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","rce","cve","network"],"_cs_type":"advisory","_cs_vendors":["WP Ultimate CSV Importer"],"content_html":"\u003cp\u003eA critical remote code execution (RCE) vulnerability, identified as CVE-2026-13353, exists in the WP Ultimate CSV Importer - WordPress Import \u0026amp; Export for CSV, XML \u0026amp; Excel plugin for WordPress, affecting all versions up to and including 8.0.1. This flaw stems from a lack of capability checks on AJAX handlers for \u003ccode\u003einstall_addon\u003c/code\u003e, \u003ccode\u003esaveMappedFields\u003c/code\u003e, and \u003ccode\u003eStartImport\u003c/code\u003e, coupled with the exposure of the plugin's nonce to any authenticated user. This combination allows authenticated attackers, even with low-privileged subscriber-level access, to leverage the vulnerability. By installing the Import WooCommerce add-on, injecting malicious PHP expressions into the \u003ccode\u003eMappedFields\u003c/code\u003e parameter, and triggering its evaluation via the \u003ccode\u003eeval()\u003c/code\u003e function within \u003ccode\u003eImportHelpers::get_meta_values()\u003c/code\u003e, adversaries can achieve full remote code execution on the compromised server. This poses a significant risk to WordPress installations using the vulnerable plugin, potentially leading to website defacement, data exfiltration, or further network penetration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, with subscriber-level access or higher, logs into the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker loads any administrative page to retrieve the plugin's nonce, which is exposed to all authenticated users.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an AJAX request to the \u003ccode\u003einstall_addon\u003c/code\u003e handler, bypassing capability checks due to the vulnerability, to install the Import WooCommerce add-on.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another AJAX request to the \u003ccode\u003esaveMappedFields\u003c/code\u003e handler, also lacking proper capability checks, to inject and persist attacker-controlled PHP expressions into the \u003ccode\u003eMappedFields\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an import process by sending a request to the \u003ccode\u003eStartImport\u003c/code\u003e AJAX handler.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStartImport\u003c/code\u003e handler, lacking capability checks, processes the request, which subsequently calls \u003ccode\u003eImportHelpers::get_meta_values()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function within \u003ccode\u003eImportHelpers::get_meta_values()\u003c/code\u003e evaluates the previously injected PHP expressions.\u003c/li\u003e\n\u003cli\u003eThe attacker's PHP code is executed on the server, resulting in remote code execution and full control over the compromised WordPress installation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13353 leads to arbitrary remote code execution on the affected WordPress server. This allows attackers to completely compromise the website, leading to potential data breaches, website defacement, injection of malicious content, or further penetration into the hosting environment. Organizations using the vulnerable plugin could face significant financial and reputational damage due to loss of data integrity, confidentiality, and availability. The vulnerability has a CVSS v3.1 Base Score of 8.8 (High), indicating a severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-13353 by updating the WP Ultimate CSV Importer - WordPress Import \u0026amp; Export for CSV, XML \u0026amp; Excel plugin to a version higher than 8.0.1 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-13353 Exploitation - RCE via WP Ultimate CSV Importer Plugin\u0026quot; to your SIEM for detection of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e) for suspicious requests to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e containing \u003ccode\u003eaction=install_addon\u003c/code\u003e, \u003ccode\u003eaction=saveMappedFields\u003c/code\u003e, or \u003ccode\u003eaction=StartImport\u003c/code\u003e alongside potential PHP code in the \u003ccode\u003eMappedFields\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T04:20:18Z","date_published":"2026-07-11T04:20:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rce-wp-ultimate-csv-importer/","summary":"The WP Ultimate CSV Importer - WordPress Import \u0026 Export for CSV, XML \u0026 Excel plugin for WordPress, versions up to and including 8.0.1, is vulnerable to Remote Code Execution due to missing capability checks on specific AJAX handlers and exposure of the plugin's nonce, allowing authenticated attackers with subscriber-level access to execute arbitrary code on the server.","title":"Remote Code Execution in WP Ultimate CSV Importer WordPress Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-rce-wp-ultimate-csv-importer/"}],"language":"en","title":"CraftedSignal Threat Feed - WP Ultimate CSV Importer","version":"https://jsonfeed.org/version/1.1"}