CyberRota
← Ana sayfaya dön

CVE-2026-13353

HIGH · CVSS 8.8 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-11T04:17:16.937 · Çekilme zamanı: 2026-07-11T06:05:46.779408+00:00

CyberRota Yorumu

Saldırganın giriş yapmış olması gerekebilir. Uzaktan istismar edilebilir olabilir.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Tespit Edilen Sinyaller
remote code execution code execution

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-13353
Severity
HIGH
CVSS
8.8
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.