Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
90 vulnerabilities by Smackcoders
CVE-2026-1317 (GCVE-0-2026-1317)
Vulnerability from nvd – Published: 2026-02-18 12:28 – Updated: 2026-04-08 17:34
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.37
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:23:58.469471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:24:06.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the \u0027Single Import/Export\u0027 option is enabled, and the server is running a PHP version \u003c 8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:58.859Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3445414"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T23:58:48.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1317",
"datePublished": "2026-02-18T12:28:35.464Z",
"dateReserved": "2026-01-21T23:41:23.912Z",
"dateUpdated": "2026-04-08T17:34:58.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14627 (GCVE-0-2025-14627)
Vulnerability from nvd – Published: 2026-01-01 16:19 – Updated: 2026-04-08 17:04
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.35
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:08:44.277376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:08:58.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.35",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:04:57.772Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87040f2b-4de0-4a8d-ae30-b340638a6df2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L290"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3421699/wp-ultimate-csv-importer/trunk/uploadModules/UrlUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T21:45:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-01T03:53:26.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14627",
"datePublished": "2026-01-01T16:19:31.257Z",
"dateReserved": "2025-12-12T21:29:55.600Z",
"dateUpdated": "2026-04-08T17:04:57.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13606 (GCVE-0-2025-13606)
Vulnerability from nvd – Published: 2025-12-02 04:37 – Updated: 2026-04-08 16:45
VLAI
Title
Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure
Summary
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | Export All Posts, Products, Orders, Refunds & Users |
Affected:
0 , ≤ 2.19
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T14:16:54.020245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T14:21:30.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Export All Posts, Products, Orders, Refunds \u0026 Users",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "2.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lucky_buddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Export All Posts, Products, Orders, Refunds \u0026 Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:53.338Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3405694/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-14T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-24T15:06:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-01T16:23:28.000Z",
"value": "Disclosed"
}
],
"title": "Export All Posts, Products, Orders, Refunds \u0026 Users \u003c= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13606",
"datePublished": "2025-12-02T04:37:14.256Z",
"dateReserved": "2025-11-24T14:50:42.137Z",
"dateUpdated": "2026-04-08T16:45:53.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13145 (GCVE-0-2025-13145)
Vulnerability from nvd – Published: 2025-11-19 05:45 – Updated: 2026-04-08 16:56
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.33.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:27:05.837164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:27:18.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:09.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-13T19:22:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T17:44:17.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13145",
"datePublished": "2025-11-19T05:45:13.217Z",
"dateReserved": "2025-11-13T19:07:19.403Z",
"dateUpdated": "2026-04-08T16:56:09.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12732 (GCVE-0-2025-12732)
Vulnerability from nvd – Published: 2025-11-12 08:28 – Updated: 2026-04-08 16:42
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.33
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:40:42.860039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:40:54.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin\u0027s admin interface."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:24.421Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-04T22:23:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-11T20:07:42.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12732",
"datePublished": "2025-11-12T08:28:04.060Z",
"dateReserved": "2025-11-04T22:08:04.891Z",
"dateUpdated": "2026-04-08T16:42:24.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10057 (GCVE-0-2025-10057)
Vulnerability from nvd – Published: 2025-09-17 05:18 – Updated: 2025-09-17 12:49
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Import – Ultimate CSV XML Importer for WordPress |
Affected:
7.20 , ≤ 7.28
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:49:05.914618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:49:25.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.28",
"status": "affected",
"version": "7.20",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T05:18:45.276Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/925af22b-a728-496e-a63a-5966347ebe6c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.25/importExtensions/ImportHelpers.php#L585"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/uploadModules/DesktopUpload.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T19:51:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T17:10:32.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10057",
"datePublished": "2025-09-17T05:18:45.276Z",
"dateReserved": "2025-09-05T19:36:05.766Z",
"dateUpdated": "2025-09-17T12:49:25.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10058 (GCVE-0-2025-10058)
Vulnerability from nvd – Published: 2025-09-17 05:18 – Updated: 2026-04-08 16:55
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.27
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:48:36.842834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:48:43.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:07.390Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360611/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T19:57:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T17:09:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10058",
"datePublished": "2025-09-17T05:18:44.816Z",
"dateReserved": "2025-09-05T19:41:54.480Z",
"dateUpdated": "2026-04-08T16:55:07.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10040 (GCVE-0-2025-10040)
Vulnerability from nvd – Published: 2025-09-10 06:38 – Updated: 2026-04-08 17:11
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.27
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T20:30:43.299727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T20:30:53.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_ftp_details\u0027 AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:19.923Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T17:55:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-09T17:59:47.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10040",
"datePublished": "2025-09-10T06:38:49.153Z",
"dateReserved": "2025-09-05T17:40:07.006Z",
"dateUpdated": "2026-04-08T17:11:19.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9990 (GCVE-0-2025-9990)
Vulnerability from nvd – Published: 2025-09-05 02:25 – Updated: 2026-04-08 16:50
VLAI
Title
WordPress Helpdesk Integration <= 5.8.10 - Unauthenticated Local File Inclusion
Summary
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WordPress Helpdesk Integration |
Affected:
0 , ≤ 5.8.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T15:57:22.328008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T15:59:11.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Helpdesk Integration",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "5.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aril Aprilio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:33.382Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49a935cc-7b95-4abd-9a4d-c7e14c765863?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-helpdesk-integration/trunk/index.php#L85"
},
{
"url": "https://plugins.svn.wordpress.org/wp-helpdesk-integration/trunk/index.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-04T14:28:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-04T14:13:08.000Z",
"value": "Disclosed"
}
],
"title": "WordPress Helpdesk Integration \u003c= 5.8.10 - Unauthenticated Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9990",
"datePublished": "2025-09-05T02:25:01.708Z",
"dateReserved": "2025-09-04T14:12:40.568Z",
"dateUpdated": "2026-04-08T16:50:33.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5692 (GCVE-0-2025-5692)
Vulnerability from nvd – Published: 2025-07-02 02:03 – Updated: 2026-04-08 16:42
VLAI
Title
Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions
Summary
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | Lead Form Data Collection to CRM |
Affected:
0 , ≤ 3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T13:01:32.622634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T13:19:20.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lead Form Data Collection to CRM",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:41.444Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26404b5c-a0f2-4223-be61-1f03873666fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-leads-builder-any-crm/trunk/includes/Functions.php#L423"
},
{
"url": "https://wordpress.org/plugins/wp-leads-builder-any-crm/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3319750%40wp-leads-builder-any-crm\u0026new=3319750%40wp-leads-builder-any-crm\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-20T07:21:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-07-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Lead Form Data Collection to CRM \u003c= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5692",
"datePublished": "2025-07-02T02:03:53.387Z",
"dateReserved": "2025-06-04T20:04:29.128Z",
"dateUpdated": "2026-04-08T16:42:41.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47690 (GCVE-0-2025-47690)
Vulnerability from nvd – Published: 2025-05-23 12:43 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Lead Form Data Collection to CRM plugin <= 3.1 - Arbitrary Option Update to Privilege Escalation vulnerability
Summary
Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.This issue affects Lead Form Data Collection to CRM: from n/a through <= 3.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | Lead Form Data Collection to CRM |
Affected:
0 , ≤ 3.1
(custom)
|
Date Public
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:27:31.112418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:27:36.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-leads-builder-any-crm",
"product": "Lead Form Data Collection to CRM",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"changes": [
{
"at": "3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:58.486Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.\u003cp\u003eThis issue affects Lead Form Data Collection to CRM: from n/a through \u003c= 3.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.This issue affects Lead Form Data Collection to CRM: from n/a through \u003c= 3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:50.142Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-leads-builder-any-crm/vulnerability/wordpress-lead-form-data-collection-to-crm-plugin-3-1-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Lead Form Data Collection to CRM plugin \u003c= 3.1 - Arbitrary Option Update to Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47690",
"datePublished": "2025-05-23T12:43:18.277Z",
"dateReserved": "2025-05-07T10:45:47.045Z",
"dateUpdated": "2026-04-28T16:12:50.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31788 (GCVE-0-2025-31788)
Vulnerability from nvd – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress AIO Performance Profiler, Monitor, Optimize, Compress & Debug plugin <= 1.3 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress & Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through <= 1.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | AIO Performance Profiler, Monitor, Optimize, Compress & Debug |
Affected:
0 , ≤ 1.3
(custom)
|
Date Public
2026-04-01 16:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:36:44.401161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T18:36:54.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "all-in-one-performance-accelerator",
"product": "AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mika | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:37:55.961Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through \u003c= 1.3.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through \u003c= 1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:12.745Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-performance-accelerator/vulnerability/wordpress-aio-performance-profiler-monitor-optimize-compress-debug-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug plugin \u003c= 1.3 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31788",
"datePublished": "2025-04-01T14:51:29.126Z",
"dateReserved": "2025-04-01T13:19:54.844Z",
"dateUpdated": "2026-04-28T16:12:12.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31775 (GCVE-0-2025-31775)
Vulnerability from nvd – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Google SEO Pressor for Rich snippets Plugin <= 2.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.This issue affects Google SEO Pressor Snippet: from n/a through <= 2.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | Google SEO Pressor Snippet |
Affected:
0 , ≤ 2.0
(custom)
|
Date Public
2026-04-01 16:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T20:32:07.913690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T20:34:12.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "google-seo-author-snippets",
"product": "Google SEO Pressor Snippet",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:23.530Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Google SEO Pressor Snippet: from n/a through \u003c= 2.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.This issue affects Google SEO Pressor Snippet: from n/a through \u003c= 2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:12.629Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/google-seo-author-snippets/vulnerability/wordpress-google-seo-pressor-for-rich-snippets-plugin-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Google SEO Pressor for Rich snippets Plugin \u003c= 2.0 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31775",
"datePublished": "2025-04-01T14:51:22.084Z",
"dateReserved": "2025-04-01T13:19:46.769Z",
"dateUpdated": "2026-04-28T16:12:12.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2007 (GCVE-0-2025-2007)
Vulnerability from nvd – Published: 2025-04-01 04:21 – Updated: 2026-04-08 16:46
VLAI
Title
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion
Summary
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.19
(semver)
Affected: 7.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T16:34:29.412504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T16:34:39.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:40.111Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3923c732-80b5-4a04-80dd-b4d5b5e5567d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/MediaHandling.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3266286/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Import Export Suite for CSV and XML Datafeed \u003c= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2007",
"datePublished": "2025-04-01T04:21:20.141Z",
"dateReserved": "2025-03-05T21:29:34.461Z",
"dateUpdated": "2026-04-08T16:46:40.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2008 (GCVE-0-2025-2008)
Vulnerability from nvd – Published: 2025-04-01 04:21 – Updated: 2026-04-08 17:12
VLAI
Title
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload
Summary
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.19
(semver)
Affected: 7.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T16:21:24.979946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T16:21:35.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:19.719Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a114faf9-cada-4132-abe3-c0137b66e276?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3266286/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-31T15:56:17.000Z",
"value": "Disclosed"
}
],
"title": "Import Export Suite for CSV and XML Datafeed \u003c= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2008",
"datePublished": "2025-04-01T04:21:20.673Z",
"dateReserved": "2025-03-05T21:30:50.072Z",
"dateUpdated": "2026-04-08T17:12:19.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1317 (GCVE-0-2026-1317)
Vulnerability from cvelistv5 – Published: 2026-02-18 12:28 – Updated: 2026-04-08 17:34
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.37
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:23:58.469471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:24:06.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.37",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the \u0027Single Import/Export\u0027 option is enabled, and the server is running a PHP version \u003c 8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:58.859Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd80133d-03c7-4ecb-ad2c-98950f788ca6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/managerExtensions/LogManager.php#L763"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L181"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3445414"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T23:58:48.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1317",
"datePublished": "2026-02-18T12:28:35.464Z",
"dateReserved": "2026-01-21T23:41:23.912Z",
"dateUpdated": "2026-04-08T17:34:58.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14627 (GCVE-0-2025-14627)
Vulnerability from cvelistv5 – Published: 2026-01-01 16:19 – Updated: 2026-04-08 17:04
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.35
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:08:44.277376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:08:58.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.35",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:04:57.772Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87040f2b-4de0-4a8d-ae30-b340638a6df2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L290"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3421699/wp-ultimate-csv-importer/trunk/uploadModules/UrlUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T21:45:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-01T03:53:26.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14627",
"datePublished": "2026-01-01T16:19:31.257Z",
"dateReserved": "2025-12-12T21:29:55.600Z",
"dateUpdated": "2026-04-08T17:04:57.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13606 (GCVE-0-2025-13606)
Vulnerability from cvelistv5 – Published: 2025-12-02 04:37 – Updated: 2026-04-08 16:45
VLAI
Title
Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure
Summary
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | Export All Posts, Products, Orders, Refunds & Users |
Affected:
0 , ≤ 2.19
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T14:16:54.020245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T14:21:30.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Export All Posts, Products, Orders, Refunds \u0026 Users",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "2.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lucky_buddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Export All Posts, Products, Orders, Refunds \u0026 Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:53.338Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3405694/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-14T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-24T15:06:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-01T16:23:28.000Z",
"value": "Disclosed"
}
],
"title": "Export All Posts, Products, Orders, Refunds \u0026 Users \u003c= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13606",
"datePublished": "2025-12-02T04:37:14.256Z",
"dateReserved": "2025-11-24T14:50:42.137Z",
"dateUpdated": "2026-04-08T16:45:53.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13145 (GCVE-0-2025-13145)
Vulnerability from cvelistv5 – Published: 2025-11-19 05:45 – Updated: 2026-04-08 16:56
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.33.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:27:05.837164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:27:18.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:09.377Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-13T19:22:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T17:44:17.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13145",
"datePublished": "2025-11-19T05:45:13.217Z",
"dateReserved": "2025-11-13T19:07:19.403Z",
"dateUpdated": "2026-04-08T16:56:09.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12732 (GCVE-0-2025-12732)
Vulnerability from cvelistv5 – Published: 2025-11-12 08:28 – Updated: 2026-04-08 16:42
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.33
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:40:42.860039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:40:54.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin\u0027s admin interface."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:24.421Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-04T22:23:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-11T20:07:42.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12732",
"datePublished": "2025-11-12T08:28:04.060Z",
"dateReserved": "2025-11-04T22:08:04.891Z",
"dateUpdated": "2026-04-08T16:42:24.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10057 (GCVE-0-2025-10057)
Vulnerability from cvelistv5 – Published: 2025-09-17 05:18 – Updated: 2025-09-17 12:49
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Import – Ultimate CSV XML Importer for WordPress |
Affected:
7.20 , ≤ 7.28
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:49:05.914618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:49:25.672Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.28",
"status": "affected",
"version": "7.20",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T05:18:45.276Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/925af22b-a728-496e-a63a-5966347ebe6c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.25/importExtensions/ImportHelpers.php#L585"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/uploadModules/DesktopUpload.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360428/wp-ultimate-csv-importer/trunk/importExtensions/ImportHelpers.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T19:51:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T17:10:32.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10057",
"datePublished": "2025-09-17T05:18:45.276Z",
"dateReserved": "2025-09-05T19:36:05.766Z",
"dateUpdated": "2025-09-17T12:49:25.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10058 (GCVE-0-2025-10058)
Vulnerability from cvelistv5 – Published: 2025-09-17 05:18 – Updated: 2026-04-08 16:55
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.27
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T12:48:36.842834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T12:48:43.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:07.390Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a6bcfa6-7a40-4566-b4d2-62b696ded2d6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360611/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T19:57:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-16T17:09:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10058",
"datePublished": "2025-09-17T05:18:44.816Z",
"dateReserved": "2025-09-05T19:41:54.480Z",
"dateUpdated": "2026-04-08T16:55:07.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10040 (GCVE-0-2025-10040)
Vulnerability from cvelistv5 – Published: 2025-09-10 06:38 – Updated: 2026-04-08 17:11
VLAI
Title
WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.27
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T20:30:43.299727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T20:30:53.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.27",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_ftp_details\u0027 AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:11:19.923Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcdcaa4-c492-4d79-8d18-44802abd02e7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.26/uploadModules/FtpUpload.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3357936/wp-ultimate-csv-importer/trunk/uploadModules/FtpUpload.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-05T17:55:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-09T17:59:47.000Z",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10040",
"datePublished": "2025-09-10T06:38:49.153Z",
"dateReserved": "2025-09-05T17:40:07.006Z",
"dateUpdated": "2026-04-08T17:11:19.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9990 (GCVE-0-2025-9990)
Vulnerability from cvelistv5 – Published: 2025-09-05 02:25 – Updated: 2026-04-08 16:50
VLAI
Title
WordPress Helpdesk Integration <= 5.8.10 - Unauthenticated Local File Inclusion
Summary
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WordPress Helpdesk Integration |
Affected:
0 , ≤ 5.8.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T15:57:22.328008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T15:59:11.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Helpdesk Integration",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "5.8.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aril Aprilio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:33.382Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49a935cc-7b95-4abd-9a4d-c7e14c765863?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-helpdesk-integration/trunk/index.php#L85"
},
{
"url": "https://plugins.svn.wordpress.org/wp-helpdesk-integration/trunk/index.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-04T14:28:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-04T14:13:08.000Z",
"value": "Disclosed"
}
],
"title": "WordPress Helpdesk Integration \u003c= 5.8.10 - Unauthenticated Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9990",
"datePublished": "2025-09-05T02:25:01.708Z",
"dateReserved": "2025-09-04T14:12:40.568Z",
"dateUpdated": "2026-04-08T16:50:33.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5692 (GCVE-0-2025-5692)
Vulnerability from cvelistv5 – Published: 2025-07-02 02:03 – Updated: 2026-04-08 16:42
VLAI
Title
Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions
Summary
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | Lead Form Data Collection to CRM |
Affected:
0 , ≤ 3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-02T13:01:32.622634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-02T13:19:20.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lead Form Data Collection to CRM",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:41.444Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26404b5c-a0f2-4223-be61-1f03873666fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-leads-builder-any-crm/trunk/includes/Functions.php#L423"
},
{
"url": "https://wordpress.org/plugins/wp-leads-builder-any-crm/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3319750%40wp-leads-builder-any-crm\u0026new=3319750%40wp-leads-builder-any-crm\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-20T07:21:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-07-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Lead Form Data Collection to CRM \u003c= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5692",
"datePublished": "2025-07-02T02:03:53.387Z",
"dateReserved": "2025-06-04T20:04:29.128Z",
"dateUpdated": "2026-04-08T16:42:41.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47690 (GCVE-0-2025-47690)
Vulnerability from cvelistv5 – Published: 2025-05-23 12:43 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Lead Form Data Collection to CRM plugin <= 3.1 - Arbitrary Option Update to Privilege Escalation vulnerability
Summary
Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.This issue affects Lead Form Data Collection to CRM: from n/a through <= 3.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | Lead Form Data Collection to CRM |
Affected:
0 , ≤ 3.1
(custom)
|
Date Public
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:27:31.112418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:27:36.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-leads-builder-any-crm",
"product": "Lead Form Data Collection to CRM",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"changes": [
{
"at": "3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:58.486Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.\u003cp\u003eThis issue affects Lead Form Data Collection to CRM: from n/a through \u003c= 3.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Privilege Escalation.This issue affects Lead Form Data Collection to CRM: from n/a through \u003c= 3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:50.142Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-leads-builder-any-crm/vulnerability/wordpress-lead-form-data-collection-to-crm-plugin-3-1-arbitrary-option-update-to-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Lead Form Data Collection to CRM plugin \u003c= 3.1 - Arbitrary Option Update to Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47690",
"datePublished": "2025-05-23T12:43:18.277Z",
"dateReserved": "2025-05-07T10:45:47.045Z",
"dateUpdated": "2026-04-28T16:12:50.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31788 (GCVE-0-2025-31788)
Vulnerability from cvelistv5 – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress AIO Performance Profiler, Monitor, Optimize, Compress & Debug plugin <= 1.3 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress & Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress & Debug: from n/a through <= 1.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | AIO Performance Profiler, Monitor, Optimize, Compress & Debug |
Affected:
0 , ≤ 1.3
(custom)
|
Date Public
2026-04-01 16:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:36:44.401161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T18:36:54.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "all-in-one-performance-accelerator",
"product": "AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mika | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:37:55.961Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through \u003c= 1.3.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File vulnerability in Smackcoders Inc., AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug all-in-one-performance-accelerator allows Retrieve Embedded Sensitive Data.This issue affects AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug: from n/a through \u003c= 1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:12.745Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-performance-accelerator/vulnerability/wordpress-aio-performance-profiler-monitor-optimize-compress-debug-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress AIO Performance Profiler, Monitor, Optimize, Compress \u0026 Debug plugin \u003c= 1.3 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31788",
"datePublished": "2025-04-01T14:51:29.126Z",
"dateReserved": "2025-04-01T13:19:54.844Z",
"dateUpdated": "2026-04-28T16:12:12.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31775 (GCVE-0-2025-31775)
Vulnerability from cvelistv5 – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Google SEO Pressor for Rich snippets Plugin <= 2.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.This issue affects Google SEO Pressor Snippet: from n/a through <= 2.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Smackcoders Inc., | Google SEO Pressor Snippet |
Affected:
0 , ≤ 2.0
(custom)
|
Date Public
2026-04-01 16:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T20:32:07.913690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T20:34:12.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "google-seo-author-snippets",
"product": "Google SEO Pressor Snippet",
"vendor": "Smackcoders Inc.,",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:23.530Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Google SEO Pressor Snippet: from n/a through \u003c= 2.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Cross Site Request Forgery.This issue affects Google SEO Pressor Snippet: from n/a through \u003c= 2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:12.629Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/google-seo-author-snippets/vulnerability/wordpress-google-seo-pressor-for-rich-snippets-plugin-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Google SEO Pressor for Rich snippets Plugin \u003c= 2.0 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31775",
"datePublished": "2025-04-01T14:51:22.084Z",
"dateReserved": "2025-04-01T13:19:46.769Z",
"dateUpdated": "2026-04-28T16:12:12.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2008 (GCVE-0-2025-2008)
Vulnerability from cvelistv5 – Published: 2025-04-01 04:21 – Updated: 2026-04-08 17:12
VLAI
Title
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload
Summary
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.19
(semver)
Affected: 7.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T16:21:24.979946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T16:21:35.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:19.719Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a114faf9-cada-4132-abe3-c0137b66e276?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/SingleImportExport.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3266286/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-31T15:56:17.000Z",
"value": "Disclosed"
}
],
"title": "Import Export Suite for CSV and XML Datafeed \u003c= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2008",
"datePublished": "2025-04-01T04:21:20.673Z",
"dateReserved": "2025-03-05T21:30:50.072Z",
"dateUpdated": "2026-04-08T17:12:19.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2007 (GCVE-0-2025-2007)
Vulnerability from cvelistv5 – Published: 2025-04-01 04:21 – Updated: 2026-04-08 16:46
VLAI
Title
Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion
Summary
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress |
Affected:
0 , ≤ 7.19
(semver)
Affected: 7.20 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T16:34:29.412504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T16:34:39.261Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate CSV Importer \u2013 Import CSV, XML \u0026 Excel into WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.19",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:40.111Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3923c732-80b5-4a04-80dd-b4d5b5e5567d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261521/wp-ultimate-csv-importer/trunk/MediaHandling.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3266286/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Import Export Suite for CSV and XML Datafeed \u003c= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2007",
"datePublished": "2025-04-01T04:21:20.141Z",
"dateReserved": "2025-03-05T21:29:34.461Z",
"dateUpdated": "2026-04-08T16:46:40.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}