Security Vulnerability Fixed in WP Ultimate CSV Importer – Here’s What Changed

Ultimate-csv-Importer-Vulnerbility-fix

Security is something we should take seriously — not just when everything’s running smoothly, but especially when things need our attention.

Recently, a couple of security vulnerabilities were reported in the free version of our WP Ultimate CSV Importer plugin by the Wordfence team. These were disclosed through the Wordfence Bug Bounty Program, and we acted immediately to fix the issues. While the Pro version was not part of the report, we’ve proactively implemented the same security enhancements there as well.

Here’s in this blog we’ll discuss what happened exactly, what we fixed, and what you should do next.

What Was Reported: The Security Flaws Identified

The Wordfence team reached out to us regarding two authenticated vulnerabilities in the free version (7.19 and earlier) of WP Ultimate CSV Importer:

  • Arbitrary File Upload: Under specific conditions, users with basic access (such as Subscribers) could upload unsafe files.
  • Arbitrary File Deletion: Those same users could potentially delete files, including critical files like wp-config.php.

These issues were responsibly disclosed by a researcher through the Wordfence Bug Bounty Program. We appreciate the responsible disclosure and the opportunity to address the issue before any real-world impact.

How We Responded: Fixes in the Free and Pro Versions

We immediately prioritized a fix. Within just a few weeks, we released the free plugin with patches for both issues. Please download the latest version of WP Ultimate CSV Importer from wordpress.org.

Even though the Pro version was not affected, we applied the same security measures there for consistency and additional safety. The Pro update was released on April 3, 2025.

Here are the key changes included:

  • Reinforced permission checks to restrict file actions to trusted user roles.
  • Enhanced file validation to prevent potentially harmful file types.
  • Improved path sanitization to block unauthorized access to important site files.

What You Need To Do

If you’re using WP Ultimate CSV Importer:

  • Free version: Make sure you’ve updated to version 7.20.1 or above from your WordPress dashboard.
  • Pro version: If you are our PRO User, download the latest WP Ultimate CSV Importer Pro plugin from your Smackcoders account.

Why We’re Sharing This?

Vulnerabilities can show up in any software. What makes the difference is how quickly and responsibly they’re addressed. We’re committed to transparent, timely fixes because the trust you place in our products means everything. We appreciate your support and just want to make sure you are using the latest version.

Need Support? We’re Here to Help

If you have any concerns, questions, or need help updating, reach out to our support team. We’re always here to assist.

Thank you for choosing WP Ultimate CSV Importer. We’re here to keep your workflow smooth and your site safe.

🎃 Halloween Treat – 20% Off!

WP Ultimate CSV Importer Plugin
Offer for all three Pro Packs

--Days
--Hours
--Mins
--Secs

Grab your discount code by clicking the link below

Copied!