What the vulnerability does
01Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Explanation of Vulnerability in Simple Terms
02Summary
WP Ultimate CSV Importer versions up to 7.33.1 contain a deserialization vulnerability that allows high-privilege users to execute arbitrary PHP code on the site. An attacker with admin or editor access can craft malicious serialized data to trigger code execution during CSV import operations. This affects all installations of the plugin up to the stated version.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with the privileges of the WordPress user performing the import.
Potential impact on your site
04Site Impact
A compromised admin or editor account can be used to execute code, modify site data, or install backdoors.
Conditions required to exploit
05Prerequisites
Attacker must have high-level WordPress privileges (admin or editor role) and network access to the site.
Key dates
06Disclosure timeline
November 19, 2025
CVE published
April 8, 2026
Record updated