WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL queries without proper sanitization. This makes it possible for authenticated attackers with Subscriber-level access or higher to append additional SQL queries into already existing queries via a malicious filename, which can be used to extract sensitive information from the database. The vulnerability can only be exploited when the 'Single Import/Export' option is enabled, and the server is running a PHP version < 8.0.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=7.37What Changed in the Fix
Changes introduced in v7.38
Source Code
WordPress.org SVNThis plan outlines the exploitation research for **CVE-2026-1317**, a SQL injection vulnerability in the WP Ultimate CSV Importer plugin. ### 1. Vulnerability Summary The "WP Import – Ultimate CSV XML Importer" plugin (versions <= 7.37) is vulnerable to SQL injection because it stores a user-suppli…
Show full research plan
This plan outlines the exploitation research for CVE-2026-1317, a SQL injection vulnerability in the WP Ultimate CSV Importer plugin.
1. Vulnerability Summary
The "WP Import – Ultimate CSV XML Importer" plugin (versions <= 7.37) is vulnerable to SQL injection because it stores a user-supplied file_name (during file upload or mapping) in the database and subsequently uses that value in raw SQL queries without proper sanitization or parameterization using $wpdb->prepare().
The vulnerability requires the "Single Import/Export" feature to be enabled, which exposes the importer UI on standard WordPress post/page editors, and the server must be running PHP < 8.0. Authenticated users with Subscriber roles can exploit this to extract sensitive data via time-based or union-based payloads injected into the filename.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Actions:
saveMappedFields(to store the malicious filename in the mapping configuration).StartImport(to trigger the processing logic that uses the stored filename in a query).download_media_log(potential direct sink).
- Vulnerable Parameter:
file_name(often passed within theMappedFieldsJSON or via the upload process). - Authentication: Subscriber-level access (provided the "Single Import/Export" setting is enabled).
- Precondition:
- Plugin version <= 7.37.
- PHP Version < 8.0.
- Setting
enable_main_modeor "Single Import/Export" enabled.
3. Code Flow
- Input Stage: A user (Subscriber) invokes the
wp_ajax_saveMappedFieldsaction defined inSaveMapping.php. - Storage Stage: The
save_fields_function()processes$_POST['MappedFields']. InCoreFieldsImport.php, the functionset_core_valuesextracts thefeatured_file_namefrom the post data:// CoreFieldsImport.php line 123 $media_handle['media_settings']['file_name'] = isset($post_values['featured_file_name']) ? $post_values['featured_file_name'] : ''; update_option('smack_image_options', $media_handle); - Sink Stage: When an import starts via
wp_ajax_StartImport, the plugin retrieves these options. The maliciousfile_nameis used in a raw query (likely in theMediaImportorMediaHandlingextensions, not fully provided, but indicated by the vulnerability description). - Alternative Sink:
LogManager::download_media_logprocesses$_POST['filename']. If thehash_keylogic is bypassed or if the query building for log retrieval uses the filename
Summary
The WP Ultimate CSV Importer plugin is vulnerable to SQL Injection because it stores a user-supplied 'file_name' (via the featured_file_name parameter) in the database and subsequently retrieves it for use in raw SQL queries without proper sanitization. Authenticated attackers with Subscriber-level access can exploit this to extract sensitive database information when the 'Single Import/Export' feature is enabled and the server is running PHP versions older than 8.0.
Vulnerable Code
// importExtensions/CoreFieldsImport.php:111 if (!empty($media_meta)) { if ($media_handle['media_settings']['media_handle_option'] == 'true') { $post_values = $helpers_instance->get_header_values($media_meta, $header_array, $value_array); $media_handle['media_settings']['title'] = isset($post_values['featured_image_title']) ? $post_values['featured_image_title'] : ''; $media_handle['media_settings']['caption'] = isset($post_values['featured_image_caption']) ? $post_values['featured_image_caption'] : ''; $media_handle['media_settings']['alttext'] = isset($post_values['featured_image_alt_text']) ? $post_values['featured_image_alt_text'] : ''; $media_handle['media_settings']['description'] = isset($post_values['featured_image_description']) ? $post_values['featured_image_description'] : ''; // The file_name is assigned directly from user-controlled header values without sanitization $media_handle['media_settings']['file_name'] = isset($post_values['featured_file_name']) ? $post_values['featured_file_name'] : ''; update_option('smack_image_options', $media_handle); $media_handle = get_option('smack_image_options'); } }
Security Fix
@@ -120,7 +120,7 @@ $media_handle['media_settings']['caption'] = isset($post_values['featured_image_caption']) ? $post_values['featured_image_caption'] : ''; $media_handle['media_settings']['alttext'] = isset($post_values['featured_image_alt_text']) ? $post_values['featured_image_alt_text'] : ''; $media_handle['media_settings']['description'] = isset($post_values['featured_image_description']) ? $post_values['featured_image_description'] : ''; - $media_handle['media_settings']['file_name'] = isset($post_values['featured_file_name']) ? $post_values['featured_file_name'] : ''; + $media_handle['media_settings']['file_name'] = isset($post_values['featured_file_name']) ? sanitize_file_name($post_values['featured_file_name']) : ''; update_option('smack_image_options', $media_handle); $media_handle = get_option('smack_image_options');
Exploit Outline
1. Authenticate as a Subscriber-level user (or higher) on a site where 'Single Import/Export' mode is enabled and the server runs PHP < 8.0. 2. Access the importer functionality (often available on the post/page editor in this mode). 3. Send an AJAX request to 'wp-admin/admin-ajax.php' with the action 'saveMappedFields'. 4. In the 'MappedFields' JSON payload, include a malicious SQL injection string for the 'featured_file_name' key (e.g., "image.png' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -"). 5. This payload is saved into the 'smack_image_options' WordPress option. 6. Trigger the import process by calling the 'StartImport' action via AJAX. 7. The plugin retrieves the malicious filename from the options and executes a raw SQL query during the media handling phase, triggering the time-based injection.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.