<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WP Ultimate CSV Importer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/wp-ultimate-csv-importer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 04:20:18 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/wp-ultimate-csv-importer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Remote Code Execution in WP Ultimate CSV Importer WordPress Plugin</title><link>https://feed.craftedsignal.io/briefs/2026-07-rce-wp-ultimate-csv-importer/</link><pubDate>Sat, 11 Jul 2026 04:20:18 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rce-wp-ultimate-csv-importer/</guid><description>The WP Ultimate CSV Importer - WordPress Import &amp; Export for CSV, XML &amp; Excel plugin for WordPress, versions up to and including 8.0.1, is vulnerable to Remote Code Execution due to missing capability checks on specific AJAX handlers and exposure of the plugin's nonce, allowing authenticated attackers with subscriber-level access to execute arbitrary code on the server.</description><content:encoded><![CDATA[<p>A critical remote code execution (RCE) vulnerability, identified as CVE-2026-13353, exists in the WP Ultimate CSV Importer - WordPress Import &amp; Export for CSV, XML &amp; Excel plugin for WordPress, affecting all versions up to and including 8.0.1. This flaw stems from a lack of capability checks on AJAX handlers for <code>install_addon</code>, <code>saveMappedFields</code>, and <code>StartImport</code>, coupled with the exposure of the plugin's nonce to any authenticated user. This combination allows authenticated attackers, even with low-privileged subscriber-level access, to leverage the vulnerability. By installing the Import WooCommerce add-on, injecting malicious PHP expressions into the <code>MappedFields</code> parameter, and triggering its evaluation via the <code>eval()</code> function within <code>ImportHelpers::get_meta_values()</code>, adversaries can achieve full remote code execution on the compromised server. This poses a significant risk to WordPress installations using the vulnerable plugin, potentially leading to website defacement, data exfiltration, or further network penetration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker, with subscriber-level access or higher, logs into the WordPress site.</li>
<li>The attacker loads any administrative page to retrieve the plugin's nonce, which is exposed to all authenticated users.</li>
<li>The attacker sends an AJAX request to the <code>install_addon</code> handler, bypassing capability checks due to the vulnerability, to install the Import WooCommerce add-on.</li>
<li>The attacker sends another AJAX request to the <code>saveMappedFields</code> handler, also lacking proper capability checks, to inject and persist attacker-controlled PHP expressions into the <code>MappedFields</code> parameter.</li>
<li>The attacker initiates an import process by sending a request to the <code>StartImport</code> AJAX handler.</li>
<li>The <code>StartImport</code> handler, lacking capability checks, processes the request, which subsequently calls <code>ImportHelpers::get_meta_values()</code>.</li>
<li>The <code>eval()</code> function within <code>ImportHelpers::get_meta_values()</code> evaluates the previously injected PHP expressions.</li>
<li>The attacker's PHP code is executed on the server, resulting in remote code execution and full control over the compromised WordPress installation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13353 leads to arbitrary remote code execution on the affected WordPress server. This allows attackers to completely compromise the website, leading to potential data breaches, website defacement, injection of malicious content, or further penetration into the hosting environment. Organizations using the vulnerable plugin could face significant financial and reputational damage due to loss of data integrity, confidentiality, and availability. The vulnerability has a CVSS v3.1 Base Score of 8.8 (High), indicating a severe risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-13353 by updating the WP Ultimate CSV Importer - WordPress Import &amp; Export for CSV, XML &amp; Excel plugin to a version higher than 8.0.1 immediately.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-13353 Exploitation - RCE via WP Ultimate CSV Importer Plugin&quot; to your SIEM for detection of exploitation attempts.</li>
<li>Monitor web server logs (category <code>webserver</code>) for suspicious requests to <code>admin-ajax.php</code> containing <code>action=install_addon</code>, <code>action=saveMappedFields</code>, or <code>action=StartImport</code> alongside potential PHP code in the <code>MappedFields</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>rce</category><category>cve</category><category>network</category></item></channel></rss>