PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13430 wpazleen CVE debrief

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass. The vulnerability allows attackers to upload files that may be executable, which makes remote code execution possible. The vulnerability exists in the import_media_file_secure function of the Post Export Import with Media plugin. A trailing-dot filename bypass allows attackers to upload files with malicious extensions, which can lead to remote code execution. Administrators and users with high privileges on WordPress installations using the Post Export Import with Media plugin should be aware of this vulnerability and take immediate action to protect their sites. The vulnerability has a CVSS score of 7.2 and a severity of HIGH.

Vendor
wpazleen
Product
Post Export Import with Media
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users with high privileges on WordPress installations using the Post Export Import with Media plugin should be aware of this vulnerability and take immediate action to protect their sites. The vulnerability allows attackers to upload files that may be executable, which makes remote code execution possible. The CVSS score of the vulnerability is 7.2, indicating a HIGH severity.

Technical summary

The vulnerability exists in the import_media_file_secure function of the Post Export Import with Media plugin. A trailing-dot filename bypass allows attackers to upload files with malicious extensions, which can lead to remote code execution. The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass. The vulnerability allows attackers to upload files that may be executable, which makes remote code execution possible. The CVSS score of the vulnerability is 7.2, indicating a HIGH severity.

Defensive priority

High

Recommended defensive actions

  • Update the Post Export Import with Media plugin to a version that fixes the Arbitrary File Upload vulnerability.
  • Restrict access to the WordPress uploads directory to prevent unauthorized file uploads.
  • Monitor WordPress sites for suspicious activity and implement additional security measures to prevent exploitation.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-10T04:17:47.430Z and was last modified on 2026-07-10T21:16:53.397Z. The NVD entry is currently Deferred. The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass. The vulnerability exists in the import_media_file_secure function of the Post Export Import with Media plugin. A trailing-dot filename bypass allows attackers to upload files with malicious extensions, which can lead to remote code execution. Administrators and users with high privileges on WordPress installations using the Post Export Import with Media plugin should be aware of this vulnerability and take immediate action to protect their sites.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T04:17:47.430Z and has not been modified since then. The NVD entry is currently Deferred.