Critical RCE Vulnerabilities Discovered in Npm tidgi and WP Ultimate CSV Importer

Critical RCE Vulnerabilities Discovered in Npm tidgi and WP Ultimate CSV Importer

First seen 16 Jul 2026, 16:59 UTC Patchstackcve.mitre.org 85% similarity 72.0

Article Content

Browse articles
ThreatCluster

Two remote code execution (RCE) vulnerabilities have been identified in popular plugins: Npm tidgi and WP Ultimate CSV Importer. The Npm tidgi vulnerability allows privileged users to execute commands via malicious links or crafted pages. Similarly, the WP Ultimate CSV Importer plugin has a missing authorization flaw that also permits command execution by authenticated users. Both vulnerabilities could enable attackers to gain backdoor access to affected websites. Users are advised to update the plugins immediately to mitigate risks. The CVSS scoring system is mentioned but deemed not ideal for WordPress vulnerabilities. Patchstack has issued mitigation rules for the WP Ultimate CSV Importer until updates are applied. The Npm tidgi vulnerability was reported on July 14, 2026, while the WP Ultimate CSV Importer vulnerability was reported on July 16, 2026.

Key Points: • Critical RCE vulnerabilities found in Npm tidgi and WP Ultimate CSV Importer plugins. • Immediate updates are required to prevent potential backdoor access to affected websites. • Patchstack has provided mitigation rules for the WP Ultimate CSV Importer until updates are applied.

ThreatCluster AI

Timeline

2026-07-14
RCE vulnerability in Npm tidgi reported
A remote code execution vulnerability was disclosed in the Npm tidgi plugin, affecting privileged users.
Patchstack
2026-07-16
RCE vulnerability in WP Ultimate CSV Importer reported
A missing authorization flaw in the WP Ultimate CSV Importer plugin allows authenticated users to execute commands.
Patchstack

Community

Browse all →