Skip to content

Add CVE-2026-1317: WordPress WP Import CSV XML Importer SQL Injection#15394

Open
stranger00135 wants to merge 4 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-1317
Open

Add CVE-2026-1317: WordPress WP Import CSV XML Importer SQL Injection#15394
stranger00135 wants to merge 4 commits intoprojectdiscovery:mainfrom
stranger00135:add-cve-2026-1317

Conversation

@stranger00135
Copy link

@stranger00135 stranger00135 commented Feb 19, 2026
edited
Loading

CVE-2026-1317: WordPress WP Import - Ultimate CSV XML Importer SQL Injection

Vulnerability Details

  • Type: Authenticated SQL Injection
  • Affected versions: <= 7.37
  • Fixed in: 7.38
  • CVSS: 6.5 (Medium)
  • CWE: CWE-89

Vulnerability Description

SQL injection vulnerability in the manage_records() function at LogManager.php:763. The file_name parameter from file uploads is used in raw SQL queries without proper sanitization:

$get_revision = $wpdb->get_results( "SELECT revision FROM {$wpdb->prefix}smackuci_events WHERE original_file_name = '$file_name' " );

Requires:

  • Authenticated access (Subscriber+)
  • Single Import/Export option enabled
  • PHP < 8.0

Detection Method

✅ Functional Detection Implemented

This template now includes functional verification:

  1. Version check: Validates version <= 7.37 via Readme.txt
  2. Endpoint verification: Tests admin-ajax.php?action=get_csv_url for plugin-specific responses

Uses stop-at-first-match: true for efficient detection.

Testing

Mock server included: mock-cve-2026-1317.py

Run vulnerable instance:

python3 mock-cve-2026-1317.py --port 5001

Run patched instance:

python3 mock-cve-2026-1317.py --port 5001 --patched

References

Note: Template upgraded from version-only to functional detection. ✅

Tiger Guo added 3 commits February 19, 2026 13:01
Add CVE-2025-8781: WordPress Bookster SQL Injection
5a047ba
CVE-2025-8781: Verified WordPress Bookster SQLi via 'raw' parameter
f17c418 
- Set verified: true after comprehensive source code analysis
- Updated matchers with time-based detection and response validation
- Added verification evidence in comments
- Confirmed vulnerable endpoint: /wp-json/bookster/v1/appointments/query
- Vulnerability: QueryBuilder.php line 133 bypasses sanitization for 'raw' key
- Fixed in version 2.2.0 (changeset 3434484)
Add CVE-2026-1317 WordPress WP Import CSV XML Importer SQL Injection
67f1e56 
- Plugin: WP Import – Ultimate CSV XML Importer <= 7.37
- Severity: Medium (CVSS 6.5)
- Vulnerability: SQL injection via unsanitized file_name parameter
- Affected versions: <= 7.37
- Authentication: Subscriber+ level required
- CWE-89: Improper Neutralization of Special Elements used in SQL Command

The vulnerability exists in LogManager.php line 763 where the file_name parameter
is used in a raw SQL query without proper escaping or parameterization. Attackers
with subscriber-level access can exploit this to extract sensitive database information
through malicious filenames during CSV/XML import operations.

Verified against WordPress 6.9 with plugin version 7.37 running PHP 7.4.
Upgrade CVE-2026-1317 with functional detection
56aae22 
- Add dual-path detection: version check + endpoint verification
- Check admin-ajax.php?action=get_csv_url for plugin-specific responses
- Use stop-at-first-match for efficiency
- Include mock Flask server for testing
- Verified manually (nuclei has SIGBUS issue on this system)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DhiyaneshGeek DhiyaneshGeek Awaiting requested review from DhiyaneshGeek

Assignees

@theamanrawat theamanrawat

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranger00135 @theamanrawat

Comments