Vulnerabilities and security researches forwp-all-import wp-all-import
Direction: ascendingJun 07, 2024
Import any XML or CSV File to WordPress # CVE-2018-16255
- CVE, Research URL
- Application
- Date
- Apr 12, 2019
- Research Description
- There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2021-24714
- CVE, Research URL
- Application
- Date
- Dec 06, 2021
- Research Description
- The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
- Affected versions
-
max 3.6.3.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2015-9331
- CVE, Research URL
- Application
- Date
- Aug 20, 2019
- Research Description
- The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit.
- Affected versions
-
max 3.2.4.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2017-18567
- CVE, Research URL
- Application
- Date
- Aug 20, 2019
- Research Description
- The wp-all-import plugin before 3.4.6 for WordPress has XSS.
- Affected versions
-
max 3.4.6.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2015-9330
- CVE, Research URL
- Application
- Date
- Aug 20, 2019
- Research Description
- The wp-all-import plugin before 3.2.5 for WordPress has blind SQL injection.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-16257
- CVE, Research URL
- Application
- Date
- Apr 13, 2019
- Research Description
- There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-16256
- CVE, Research URL
- Application
- Date
- Apr 12, 2019
- Research Description
- There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule). NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2015-9329
- CVE, Research URL
- Application
- Date
- Aug 20, 2019
- Research Description
- The wp-all-import plugin before 3.2.5 for WordPress has reflected XSS.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-20978
- CVE, Research URL
- Application
- Date
- Aug 20, 2019
- Research Description
- The wp-all-import plugin before 3.4.7 for WordPress has XSS.
- Affected versions
-
max 3.4.7.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-16254
- CVE, Research URL
- Application
- Date
- Apr 12, 2019
- Research Description
- There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-0546
- CVE, Research URL
- Application
- Date
- Mar 09, 2018
- Research Description
- Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
- Affected versions
-
max 3.4.6.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2022-1565
- CVE, Research URL
- Application
- Date
- Jul 18, 2022
- Research Description
- The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
- Affected versions
-
max 3.6.8.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-16258
- CVE, Research URL
- Application
- Date
- Apr 13, 2019
- Research Description
- There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-16259
- CVE, Research URL
- Application
- Date
- Apr 13, 2019
- Research Description
- There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
- Affected versions
-
max 3.4.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2018-0547
- CVE, Research URL
- Application
- Date
- Mar 09, 2018
- Research Description
- Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
- Affected versions
-
max 3.4.7.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2022-2268
- CVE, Research URL
- Application
- Date
- Jul 04, 2022
- Research Description
- The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
- Affected versions
-
max 3.6.8.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2022-36386
- CVE, Research URL
- Application
- Date
- Sep 22, 2022
- Research Description
- Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.
- Affected versions
-
max 3.6.8.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2022-3418
- CVE, Research URL
- Application
- Date
- Nov 07, 2022
- Research Description
- The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files
- Affected versions
-
max 3.6.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2022-2711
- CVE, Research URL
- Application
- Date
- Nov 07, 2022
- Research Description
- The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.
- Affected versions
-
max 3.6.9.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2023-7082
- CVE, Research URL
- Application
- Date
- Jan 23, 2024
- Research Description
- The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code execution.
- Affected versions
-
max 3.7.3.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # CVE-2024-31939
- CVE, Research URL
- Application
- Date
- Apr 11, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Import any XML or CSV File to WordPress.This issue affects Import any XML or CSV File to WordPress: from n/a through 3.7.3.
- Affected versions
-
max 3.7.4.
- Status
-
vulnerable
Feb 04, 2025
Import any XML or CSV File to WordPress # CVE-2024-9661
- CVE, Research URL
- Application
- Date
- Feb 07, 2025
- Research Description
- The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 3.8.0.
- Status
-
vulnerable
May 07, 2025
Import any XML or CSV File to WordPress # CVE-2014-2054
- CVE, Research URL
- Application
- Date
- Jun 04, 2014
- Research Description
- PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
- Affected versions
-
max 3.9.0.
- Status
-
vulnerable
Oct 11, 2025
Import any XML or CSV File to WordPress # CVE-2025-10001
- CVE, Research URL
- Application
- Date
- Sep 10, 2025
- Research Description
- The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 3.9.4.
- Status
-
vulnerable
Dec 10, 2025
Import any XML or CSV File to WordPress # CVE-2025-12733
- CVE, Research URL
- Application
- Date
- Nov 13, 2025
- Research Description
- The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution.
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Apr 14, 2026
Import any XML or CSV File to WordPress # CVE-2026-2830
- CVE, Research URL
- Application
- Date
- Mar 06, 2026
- Research Description
- The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 4.0.1.
- Status
-
vulnerable
Jun 16, 2026
Import any XML or CSV File to WordPress # 1e1ff3db684856814c7285193e6b05365777360e
- CVE, Research URL
- Application
- Date
- Oct 17, 2017
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.4.6 WordPress Import any XML or CSV File to WordPress plugin <=3.4.5 - Cross-Site Scripting (XSS) vulnerability Cross-Site Scripting (XSS) vulnerability found in WordPress Import any XML or CSV File to WordPress plugin (versions <=3.4.5).
- Affected versions
-
max 3.4.6.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # 23f0deb78bcc3ed57c0cb3b303981074d5af4d43
- CVE, Research URL
- Application
- Date
- Feb 26, 2015
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.2.4 WordPress WP All Import Plugin <= 3.2.3 - Remote Code Execution Because of this vulnerability, remote attackers can upload arbitrary files to system or retrieve any files on the system that ends in .txt or .html. Update the plugin.
- Affected versions
-
max 3.2.4.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # 95d88a2b3cd0dd1439e35033817fde4a1945183a
- CVE, Research URL
- Application
- Date
- Mar 17, 2015
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.2.5 WordPress WP All Import Plugin <= 3.2.4 - Multiple Vulnerabilities This plugin is prone to an SQL injection and cross site scripting vulnerabilities. Because of them, attackers can gain admin access to your website or trick you into visiting the malicious URL. Update the plugin.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # e5cae750-cf85-4978-b2e7-5b37ec97766e
- CVE, Research URL
- Application
- Date
- -
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.6.5 WP All Import < 3.6.5 - Reflected Cross-Site Scripting The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting
- Affected versions
-
max 3.6.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # e1e2b13fdb2581c6d07a84cea272c511b0b3e1cd
- CVE, Research URL
- Application
- Date
- Feb 19, 2020
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.2.5 Import any XML or CSV File to WordPress <= 3.2.4 - Missing Authorization and Cross-Site Request Forgery Checks The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 3.2.4 due to missing capability and nonce checks on various functions.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # 3860737b582eb7944753e1efb5308fb75df5d931
- CVE, Research URL
- Application
- Date
- Feb 19, 2020
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.2.5 Import any XML or CSV File to WordPress <= 3.2.4 - SQL Injection The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, and including, 3.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrative capabilities and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Import any XML or CSV File to WordPress # 55398b0b646725d4510cc2a116f7f51312faee16
- CVE, Research URL
- Application
- Date
- Jun 02, 2022
- Research Description
- WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets [wp-all-import] < 3.6.7 Import any XML or CSV File to WordPress <= 3.6.6 - Reflected Cross-Site Scripting The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg| without appropriate escaping on the URL in versions up to, and including, 3.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 3.6.7.
- Status
-
vulnerable
Jun 29, 2026
Import any XML or CSV File to WordPress # CVE-2026-57628
- CVE, Research URL
- Application
- Date
- Jun 26, 2026
- Research Description
- Administrator SQL Injection in WP All Import <= 4.0.1 versions.
- Affected versions
-
max 4.1.0.
- Status
-
vulnerable