VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 26 known issues Latest disclosed Feb 17, 2026

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress (`wp-ultimate-csv-importer`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-1317, CVE-2025-14627 and CVE-2025-13145, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
26
High or Critical
15
Patch Coverage
100%
Last Updated
Feb 18, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
26 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 15 high severity findings.
Recent CVEs
CVE-2026-1317, CVE-2025-14627 and CVE-2025-13145
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-1317
WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later u...

Published
Feb 17, 2026
Patched Release
7.38
Affected Versions
Versions up to 7.37
Next Step
Update to 7.38 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14627
WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_...

Published
Jan 01, 2026
Patched Release
7.36
Affected Versions
Versions up to 7.35
Next Step
Update to 7.36 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-13145
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv functio...

Published
Nov 18, 2025
Patched Release
7.34
Affected Versions
Versions up to 7.33.1
Next Step
Update to 7.34 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12732
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for aut...

Published
Nov 11, 2025
Patched Release
7.33.1
Affected Versions
Versions up to 7.33
Next Step
Update to 7.33.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-10057
WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for auth...

Published
Sep 16, 2025
Patched Release
7.29
Affected Versions
7.20 through 7.28
Next Step
Update to 7.29 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-10058
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated at...

Published
Sep 16, 2025
Patched Release
7.28
Affected Versions
Versions up to 7.27
Next Step
Update to 7.28 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-10040
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated at...

Published
Sep 09, 2025
Patched Release
7.28
Affected Versions
Versions up to 7.27
Next Step
Update to 7.28 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-2008
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attac...

Published
Mar 31, 2025
Patched Release
7.19.1
Affected Versions
Versions up to 7.19
Next Step
Update to 7.19.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-2007
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, wi...

Published
Mar 25, 2025
Patched Release
7.19.1
Affected Versions
Versions up to 7.19
Next Step
Update to 7.19.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-4141
WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) PHP File Creation to Remote Code Execution

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access i...

Published
Aug 03, 2023
Patched Release
7.9.9
Affected Versions
Versions up to 7.9.8
Next Step
Update to 7.9.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-4139
WP Ultimate CSV Importer <= 7.9.8 - Sensitive Information Exposure via Directory Listing

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and v...

Published
Aug 03, 2023
Patched Release
7.9.9
Affected Versions
Versions up to 7.9.8
Next Step
Update to 7.9.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-4142
WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access i...

Published
Aug 03, 2023
Patched Release
7.9.9
Affected Versions
Versions up to 7.9.8
Next Step
Update to 7.9.9 or newer if supported.
Open Full Report Open CVE Reference