Smackcoders WP Import – Ultimate CSV XML Importer
Moderate fix1 remedy
cpe:2.3:a:smackcoders:wp_ultimate_csv_importer:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- >= 7.20, <= 7.28
WP Import Ultimate CSV XML Importer for WordPress Remote Code Execution Vulnerability
Vulnerability
Patched
A remote code execution vulnerability exists in the WP Import – Ultimate CSV XML Importer for WordPress plugin, affecting all versions prior to 7.29. The issue arises because the plugin's 'write_to_customfile()' function allows authenticated users with Subscriber-level access and above to inject unfiltered PHP code into a file. This injected code can then be executed remotely, leading to unauthorized code execution on the server.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable WordPress site is hosted.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'write_to_customfile()' function to inject PHP code into the 'customFunction.php' file. Once the code is injected, it can be executed remotely, leading to code execution on the server.
Remediation
Users are advised to update the WP Import – Ultimate CSV XML Importer for WordPress plugin to version 7.29 or a newer patched version.
Added: Sep 17, 2025, 6:18 AM
Updated: Sep 17, 2025, 6:18 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
10.0exploitability
6.4remediation
7.7relevance
0.5threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.