Patchstack
Critical RCE Vulnerabilities Discovered in Npm tidgi and WP Ultimate CSV Importer
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Two remote code execution (RCE) vulnerabilities have been identified in popular plugins: Npm tidgi and WP Ultimate CSV Importer. The Npm tidgi vulnerability allows privileged users to execute commands via malicious links or crafted pages. Similarly, the WP Ultimate CSV Importer plugin has a missing authorization flaw that also permits command execution by authenticated users. Both vulnerabilities could enable attackers to gain backdoor access to affected websites. Users are advised to update the plugins immediately to mitigate risks. The CVSS scoring system is mentioned but deemed not ideal for WordPress vulnerabilities. Patchstack has issued mitigation rules for the WP Ultimate CSV Importer until updates are applied. The Npm tidgi vulnerability was reported on July 14, 2026, while the WP Ultimate CSV Importer vulnerability was reported on July 16, 2026.
Key Points: • Critical RCE vulnerabilities found in Npm tidgi and WP Ultimate CSV Importer plugins. • Immediate updates are required to prevent potential backdoor access to affected websites. • Patchstack has provided mitigation rules for the WP Ultimate CSV Importer until updates are applied.