CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13430

highCVSS 7.2covered by 1 sourcefirst seen 2026-07-10
The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the import_media_file_secure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name (e.g., 'shell.php.'), which returns an empty string for the extension, causing the allow-list guard to be skipped and the file to be extracted to a temporary location, after which import_media_file_secure() copies it into the WordPress uploads directory without re-validating the extension. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.

⚡ Watch CVE-2026-13430

Get an email if CVE-2026-13430 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13430

CVE.org record

Embed the live status

CVE-2026-13430 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13430 status](https://www.csirts.com/badge/CVE-2026-13430)](https://www.csirts.com/cve/CVE-2026-13430)