CVE-2026-1317 is a SQL Injection vulnerability identified in the WP Import – Ultimate CSV XML Importer plugin for WordPress, affecting all versions up to and including 7.37. The root cause is insufficient escaping and sanitization of the 'file_name' parameter, which is stored in the database during file upload and later used in raw SQL queries without proper neutralization. An authenticated attacker with at least Subscriber-level privileges can exploit this by uploading a file with a maliciously crafted filename that appends additional SQL commands to existing queries. This can lead to unauthorized extraction of sensitive information from the database. The vulnerability is conditional on two factors: the 'Single Import/Export' option must be enabled in the plugin settings, and the server must be running a PHP version earlier than 8.0, as PHP 8.0+ likely mitigates the issue due to changes in how queries are handled or escaping functions behave. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality only. There are no known exploits in the wild at this time, but the vulnerability poses a significant risk of data leakage if exploited. The plugin is widely used in WordPress environments, which are common in European organizations, especially those relying on CSV/XML import functionality for content or data management.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive data stored in WordPress databases, including user information, business data, or configuration details. Since exploitation requires authenticated access at Subscriber level or above, attackers who gain or already have low-level access could escalate their capabilities by extracting confidential information. This risk is heightened in environments where the plugin's 'Single Import/Export' feature is enabled and PHP versions below 8.0 are in use, which is common in legacy or unpatched systems. Data leakage could result in compliance violations under GDPR, reputational damage, and potential financial losses. The vulnerability does not directly impact data integrity or availability, but the confidentiality breach alone is significant. Organizations running WordPress sites with this plugin, especially those handling sensitive or regulated data, face increased risk if mitigations are not applied promptly.

1. Upgrade the WP Import – Ultimate CSV XML Importer plugin to a version beyond 7.37 once a patch is released or monitor vendor advisories for updates. 2. If immediate patching is not possible, disable the 'Single Import/Export' feature to prevent exploitation. 3. Upgrade the server PHP version to 8.0 or higher, as this mitigates the vulnerability by changing how SQL queries are processed. 4. Implement strict access controls to limit Subscriber-level accounts and monitor for suspicious file upload activities. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'file_name' parameter. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and PHP versions. 7. Educate administrators on the risks of using outdated plugins and encourage timely updates. 8. Review and sanitize all user inputs, including file metadata, as a best practice to reduce injection risks.