– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1317:
This vulnerability is an authenticated SQL injection in the WP Import – Ultimate CSV XML Importer for WordPress plugin, affecting versions up to and including 7.37. The flaw resides in the plugin’s file import functionality, allowing attackers with Subscriber-level access or higher to inject malicious SQL commands via a crafted filename. Successful exploitation requires the ‘Single Import/Export’ option to be enabled and a server running PHP version below 8.0. The CVSS score of 6.5 reflects the combination of authenticated access requirements and the potential for sensitive database information disclosure.

Root Cause:
The vulnerability originates from insufficient escaping and sanitization of the `file_name` parameter stored in the database during file upload operations. The plugin stores uploaded filenames in the `{$wpdb->prefix}smackuci_file_uploads` table without proper validation. Later, when processing imports, the plugin retrieves this filename from the database and directly interpolates it into raw SQL queries without using prepared statements. The vulnerable code is located in `/wp-ultimate-csv-importer/SaveMapping.php` at lines 1341, 1399, and 1410 in the unpatched version. These lines construct SQL queries by concatenating the `$hash_key` variable (which can be influenced via the filename) directly into query strings using double quotes and variable interpolation.

Exploitation:
An attacker must first authenticate with at least Subscriber privileges and have the ‘Single Import/Export’ feature enabled. The attack vector involves uploading a file with a malicious filename containing SQL injection payloads. When the plugin processes the import, it retrieves the filename from the database and uses it in SQL queries without proper sanitization. The attacker can append additional SQL commands to extract sensitive information from the WordPress database. The specific endpoint is `/wp-admin/admin-ajax.php` with the `action` parameter set to the plugin’s AJAX handlers that trigger the import process. The payload would be embedded in the filename parameter during the initial file upload phase.

Patch Analysis:
The patch replaces direct string concatenation in SQL queries with prepared statements using `$wpdb->prepare()`. In `/wp-ultimate-csv-importer/SaveMapping.php`, three vulnerable queries were modified: line 1341 changed from `”SELECT status FROM $log_table_name WHERE hash_key = ‘$hash_key’ “` to `$wpdb->prepare(“SELECT status FROM $log_table_name WHERE hash_key = %s “, $hash_key)`, line 1399 changed from `”SELECT mapping , module FROM $template_table_name WHERE `eventKey` = ‘$hash_key’ “` to `$wpdb->prepare(“SELECT mapping , module FROM $template_table_name WHERE `eventKey` = %s “, $hash_key)`, and line 1410 changed from `”SELECT id , mode ,file_name , total_rows FROM $file_table_name WHERE `hash_key` = ‘$hash_key'”` to `$wpdb->prepare(“SELECT id , mode ,file_name , total_rows FROM $file_table_name WHERE `hash_key` = %s”, $hash_key)`. These changes ensure proper parameter escaping and prevent SQL injection by separating SQL structure from data values.

Impact:
Successful exploitation allows authenticated attackers to execute arbitrary SQL queries on the WordPress database. This can lead to complete database compromise, including extraction of sensitive information such as user credentials (hashed passwords), personal data, plugin settings, and other confidential content stored in the database. While the vulnerability requires Subscriber-level access, this is a low barrier as many WordPress sites allow user registration. The information disclosure can facilitate further attacks, including privilege escalation and complete site takeover if administrative credentials are compromised.