Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2025-11-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WP Ultimate CSV Importer plugin is vulnerable to PHP Object Injection via the import_single_post_as_csv function. An attacker with administrator‑level access can supply a crafted CSV file that is deserialized, allowing the injection of a PHP object. This flaw, classified as CWE‑502, can lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of arbitrary code if a PHP object property chain is present.

Affected Systems

WordPress sites running the WP Ultimate CSV Importer plugin (developed by smackcoders) version 7.33.1 or older are affected. Any installation of this plugin with administrator‑level or higher privileges is at risk.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity. The EPSS score is below 1%, suggesting low to moderate likelihood of exploitation but still significant. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with administrator role to upload a malicious CSV file; if a PHP object property chain exists in another plugin or theme, the attacker can perform file deletions, data exfiltration, or arbitrary code execution.

Generated by OpenCVE AI on April 21, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Ultimate CSV Importer to the latest release that removes the vulnerable deserialization code.
  • Reduce the scope of administrator privileges for users who do not need CSV import functionality to mitigate the attacker’s prerequisite for exploit.
  • Ensure all other plugins and themes are up‑to‑date and do not expose PHP object injection chains that could be chained with this vulnerability.

Generated by OpenCVE AI on April 21, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Smackcoders
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress
Vendors & Products Smackcoders
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smackcoders Ultimate Csv Importer Wp Ultimate Csv Importer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:09.377Z

Reserved: 2025-11-13T19:07:19.403Z

Link: CVE-2025-13145

cve-icon Vulnrichment

Updated: 2025-11-19T20:27:12.886Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T06:15:47.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses