What the vulnerability does
01Description
The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration
Explanation of Vulnerability in Simple Terms
02Summary
Simple User Import Export versions up to 1.1.7 contain a vulnerability that allows high-privilege users to read sensitive data, modify site content, or disrupt service. The flaw affects multiple security functions and can impact the broader site environment. A high-privilege account is required to exploit this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, or disrupt service availability.
Potential impact on your site
04Site Impact
High-privilege accounts (admins) could be compromised to leak data, alter content, or cause downtime.
Conditions required to exploit
05Prerequisites
Attacker must have high-privilege account access; no user interaction required.
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated