Overview
A critical remote code execution vulnerability has been identified in the WP Ultimate CSV Importer plugin for WordPress, tracked as CVE-2026-13353. The flaw carries a CVSS score of 8.8 and affects all versions up to and including 8.0.1.
The vulnerability stems from missing capability checks on AJAX handlers — specifically install_addon and related functions — combined with improper sanitization of the MappedFields parameter. Exploitation allows attackers with low-privilege authenticated access to execute arbitrary PHP code on the hosting server.
Technical Details
The vulnerable AJAX handlers in WP Ultimate CSV Importer fail to validate the caller's capability level before processing requests. The MappedFields parameter passed to these handlers is not adequately sanitized, enabling an attacker to inject and execute malicious PHP code server-side.
Attack Vector
| Property | Value |
|---|---|
| CVSS Score | 8.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Changed |
Exploitation Flow
- Attacker authenticates with a low-privilege WordPress account (e.g., subscriber or contributor role)
- Sends a crafted AJAX request to the vulnerable
install_addonhandler - Injects malicious PHP via the
MappedFieldsparameter - Server executes injected code with web server privileges
Affected Versions
All versions of WP Ultimate CSV Importer up to and including 8.0.1 are vulnerable.
Remediation
WordPress site administrators should take the following steps immediately:
- Update the plugin to a patched version (8.0.2 or later) as soon as it becomes available from the WordPress plugin repository
- Temporarily deactivate the plugin if a patch is not yet available and the plugin is not essential to site operations
- Review server logs for suspicious AJAX requests targeting
install_addonorwp-admin/admin-ajax.php - Implement a Web Application Firewall (WAF) rule to block unexpected AJAX requests to the vulnerable handlers
- Audit WordPress user accounts and ensure minimal privilege is granted — especially limiting subscriber/contributor accounts if they are not necessary
Indicators of Compromise
Administrators should monitor for:
- Unusual requests to
admin-ajax.phpwithaction=install_addonfrom non-administrator sessions - Unexpected file creation or modification in the
wp-content/directory tree - New PHP files with obfuscated content or eval-based payloads
- Outbound connections to unfamiliar hosts from the web server process