CVE-2020-36849 – The AIT CSV import/export WordPress plugin allo... (How to Fix)

Q: What is the severity of CVE-2020-36849?

CVE-2020-36849 has a CVSS score of 9.8 (CRITICAL). The AIT CSV import/export WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability affects WordPress sites using plugin versions up to 3.0.3 and can lead to remote code execution.

📋 TL;DR

The AIT CSV import/export WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability affects WordPress sites using plugin versions up to 3.0.3 and can lead to remote code execution.

💻 Affected Systems

Products:

AIT CSV Import/Export WordPress Plugin

Versions: Up to and including 3.0.3

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active on WordPress site.

📦 What is this software?

Csv Import \/ Export by Ait Themes

View all CVEs affecting Csv Import \/ Export →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Webshell upload leading to data theft, defacement, or cryptocurrency mining malware installation.

🟢

If Mitigated

File upload attempts blocked or logged with no successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Metasploit module available, simple HTTP POST request exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.4 or later

Vendor Advisory: https://www.ait-themes.club/wordpress-plugins/csv-import-export/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'AIT CSV Import/Export' and update to latest version. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block access to the vulnerable upload-handler.php file via web server configuration

# For Apache: add to .htaccess
<Files "upload-handler.php">
    Order Allow,Deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /wp-content/plugins/ait-csv-import-export/admin/upload-handler\.php$ {
    deny all;
    return 403;
}

Disable plugin

linux

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate ait-csv-import-export

🧯 If You Can't Patch

Remove the plugin entirely from the WordPress installation
Implement strict file upload filtering at the web application firewall level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'AIT CSV Import/Export' version 3.0.3 or earlier

Check Version:

wp plugin list --name=ait-csv-import-export --field=version

Verify Fix Applied:

Confirm plugin version is 3.0.4 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php
Uploads of non-CSV files (e.g., .php, .exe) to plugin directory

Network Indicators:

Unusual outbound connections from web server following file uploads
HTTP requests with suspicious file extensions in POST data

SIEM Query:

source="web_server_logs" AND uri="*upload-handler.php" AND method="POST" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2020-36849

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 72.22% exploit probability (98.7th percentile)

Published: July 12, 2025

Last Updated: March 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36849, you might also want to check these: