Security Alert Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin contains a SQL injection vulnerability that can be exploited by authenticated users with Subscriber-level access or higher when the plugin’s “Single Import/Export” option is enabled and the server is running PHP < 8.0. The issue stems from insufficient escaping of the file_name parameter, which is stored and later used in raw SQL queries, allowing an attacker to append additional SQL and extract sensitive data.
CVE Details
- CVE ID: CVE-2026-1317
- Affected component: WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress
- Affected versions: All versions up to, and including, 7.37
- Published: February 18, 2026 at 1:16:20 PM UTC
- Last modified: February 18, 2026 at 5:51:53 PM UTC
- CVSS v3.1: Base Score 6.5, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / interaction: Authenticated user required (attacker with Subscriber-level access or higher). Privileges required: LOW. User interaction: NONE.
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE.
- CWE / Weakness: CWE-89 (SQL Injection)
- Fixed version / patch status: Not specified in the CVE entry.
Technical Details
The vulnerability is a SQL injection caused by insufficient escaping of the file_name parameter. The plugin stores the supplied file_name value in the database during file upload and later uses that value in raw SQL queries without proper sanitization or parameterization. An authenticated attacker (Subscriber-level or higher) can supply a crafted filename containing additional SQL syntax to alter the executed query and extract sensitive information from the database.
The vulnerability is dependent on two configuration conditions: the plugin’s “Single Import/Export” option must be enabled, and the server must be running a PHP version earlier than 8.0. These conditions limit the circumstances under which the injection can be executed.
How This Could Impact Your Website
Consider a site with multiple users: a site owner, several internal staff members (Editors/Authors), and external contributors or contractors who upload data. If a contributor with Subscriber-level access uploads a CSV or XML file while the plugin’s Single Import/Export option is enabled and the server runs PHP < 8.0, a maliciously crafted filename could allow that contributor to run additional SQL via the stored filename. This may lead to unauthorized disclosure of database contents such as user email addresses or other sensitive records.
Realistic consequences include exposure of internal user email addresses and other personal data that could increase the risk of targeted phishing or social engineering against staff or customers. The vulnerability, as described, impacts confidentiality rather than integrity or availability, so it should not be assumed to allow full site takeover based solely on the CVE details. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and subscribers who can upload files.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and database access logs for unusual behavior related to imports or file uploads.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181
- https://plugins.trac.wordpress.org/changeset/3445414
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve
