CVE-2026-13353
Last modified
CVE-2026-13353 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). EPSS estimates a 0.61% chance of exploitation in the next 30 days.
Description
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| smackcoders | WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel | <= 8.0.1 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13353?
How severe is CVE-2026-13353?
How do I fix CVE-2026-13353?
Related CVEs from 2026
- CVE-2026-1334An Out-Of-Bounds Read vulnerability affecting the EPRT file …7.8
- CVE-2026-13341A vulnerability exists in the Kong Konnect Model Context Pro…7.4
- CVE-2026-13347The Hide My WP Lite plugin for WordPress is vulnerable to Ar…7.5
- CVE-2026-1335An Out-Of-Bounds Write vulnerability affecting the EPRT file…7.8
- CVE-2026-13350Permissions where checked incorrectly during room creation, …2.3
- CVE-2026-13351Zephyr's IPv6 network stack can be prevented from receiving …7.5
- CVE-2026-13356A malicious webpage could interrupt a pending navigation by …6.3
- CVE-2026-13357The Houzez Property Feed plugin for WordPress is vulnerable …4.9
- CVE-2026-1336The AI ChatBot with ChatGPT and Content Generator by AYS plu…5.3
- CVE-2026-13368WatchGuard Fireware OS contains a race condition leading to …9.2
- CVE-2026-13369The Ninja Forms - File Uploads plugin for WordPress is vulne…7.5
- CVE-2026-1337Insufficient escaping of unicode characters in query log in …5.4
Are you affected by CVE-2026-13353?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
