PatchSiren cyber security CVE debrief
CVE-2026-13353 smackcoders CVE debrief
The WP Ultimate CSV Importer plugin for WordPress has a Remote Code Execution vulnerability due to missing capability checks and exposed plugin nonce, allowing authenticated attackers to execute code on the server. This vulnerability affects WordPress sites with the plugin installed, particularly those with subscriber-level access or above. The vulnerability is caused by missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page. This allows a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). Administrators and users of WordPress sites with the WP Ultimate CSV Importer plugin installed should be aware of this vulnerability and take immediate action to protect their sites.
- Vendor
- smackcoders
- Product
- WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Administrators and users of WordPress sites with the WP Ultimate CSV Importer plugin installed, especially those with subscriber-level access or above, should be aware of this vulnerability and take immediate action to protect their sites.
Technical summary
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1. The vulnerability is caused by missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page. This allows a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values().
Defensive priority
High priority due to the high CVSS score of 8.8 and the potential for code execution on the server.
Recommended defensive actions
- Update the WP Ultimate CSV Importer plugin to a version that fixes the vulnerability.
- Restrict access to the plugin's AJAX handlers to prevent unauthorized users from exploiting the vulnerability.
- Monitor your WordPress site for suspicious activity, especially if you have subscriber-level users or above.
- Consider implementing additional security measures, such as Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS), to detect and prevent potential attacks.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The vulnerability was reported by [email protected] and is tracked by CVE-2026-13353. The NVD entry is currently being processed. Evidence is limited, and defenders should verify the vulnerability's existence and scope. The CVE record was published on 2026-07-11T04:17:16.937Z and has not been modified since then. Additional verification and review are necessary to confirm affected systems and exposure.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T04:17:16.937Z and has not been modified since then.