WP Import - Ultimate CSV XML Importer for WordPress PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WP Import - Ultimate CSV XML Importer for WordPress plugin, affecting all versions through 7.33.1. The vulnerability arises from the deserialization of untrusted data imported via CSV files, specifically in the 'import_single_post_as_csv' function within 'SingleImportExport.php'. This flaw allows authenticated attackers with administrator-level access to inject PHP objects. If a suitable PHP Object Injection chain exists through another plugin or theme on the target site, it could enable the attacker to delete arbitrary files, access sensitive information, or execute code.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, with the potential for injected objects to be manipulated in a way that causes harmful actions, such as executing code, deleting files, or disclosing sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator privileges can upload a crafted CSV file through the WordPress admin interface. The 'import_single_post_as_csv' function will deserialize the untrusted data, allowing for PHP Object Injection if the uploaded CSV file contains specially crafted payloads that exploit the vulnerability.

Remediation

Users are advised to update the WP Import - Ultimate CSV XML Importer for WordPress plugin to version 7.34 or later.