Vulnerabilities and security researches forwp-all-import wp-all-import

Direction: descending

Oct 11, 2025

Import any XML or CSV File to WordPress # CVE-2025-10001

CVE, Research URL: CVE-2025-10001
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Sep 10, 2025
Research Description: The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

May 07, 2025

Import any XML or CSV File to WordPress # CVE-2014-2054

CVE, Research URL: CVE-2014-2054
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Jun 04, 2014
Research Description: PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Affected versions: Min -, max -.
Status: vulnerable

Feb 04, 2025

Import any XML or CSV File to WordPress # CVE-2024-9661

CVE, Research URL: CVE-2024-9661
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Feb 07, 2025
Research Description: The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

Import any XML or CSV File to WordPress # CVE-2018-16255

CVE, Research URL: CVE-2018-16255
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 12, 2019
Research Description: There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2021-24714

CVE, Research URL: CVE-2021-24714
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Dec 06, 2021
Research Description: The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2015-9331

CVE, Research URL: CVE-2015-9331
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Aug 20, 2019
Research Description: The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2017-18567

CVE, Research URL: CVE-2017-18567
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Aug 20, 2019
Research Description: The wp-all-import plugin before 3.4.6 for WordPress has XSS.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2015-9330

CVE, Research URL: CVE-2015-9330
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Aug 20, 2019
Research Description: The wp-all-import plugin before 3.2.5 for WordPress has blind SQL injection.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-16257

CVE, Research URL: CVE-2018-16257
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 13, 2019
Research Description: There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-16256

CVE, Research URL: CVE-2018-16256
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 12, 2019
Research Description: There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via Add Filtering Options(Add Rule). NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2015-9329

CVE, Research URL: CVE-2015-9329
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Aug 20, 2019
Research Description: The wp-all-import plugin before 3.2.5 for WordPress has reflected XSS.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-20978

CVE, Research URL: CVE-2018-20978
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Aug 20, 2019
Research Description: The wp-all-import plugin before 3.4.7 for WordPress has XSS.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-16254

CVE, Research URL: CVE-2018-16254
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 12, 2019
Research Description: There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-0546

CVE, Research URL: CVE-2018-0546
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Mar 09, 2018
Research Description: Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2022-1565

CVE, Research URL: CVE-2022-1565
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Jul 18, 2022
Research Description: The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-16258

CVE, Research URL: CVE-2018-16258
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 13, 2019
Research Description: There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-16259

CVE, Research URL: CVE-2018-16259
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 13, 2019
Research Description: There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2018-0547

CVE, Research URL: CVE-2018-0547
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Mar 09, 2018
Research Description: Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2022-2268

CVE, Research URL: CVE-2022-2268
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Jul 04, 2022
Research Description: The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2022-36386

CVE, Research URL: CVE-2022-36386
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Sep 22, 2022
Research Description: Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2022-3418

CVE, Research URL: CVE-2022-3418
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Nov 07, 2022
Research Description: The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2022-2711

CVE, Research URL: CVE-2022-2711
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Nov 07, 2022
Research Description: The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2023-7082

CVE, Research URL: CVE-2023-7082
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Jan 23, 2024
Research Description: The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code execution.
Affected versions: Min -, max -.
Status: vulnerable

Import any XML or CSV File to WordPress # CVE-2024-31939

CVE, Research URL: CVE-2024-31939
Home page URL: Security reports for Import any XML or CSV File to WordPress
Application: Import any XML or CSV File to WordPress
Date: Apr 11, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Import any XML or CSV File to WordPress.This issue affects Import any XML or CSV File to WordPress: from n/a through 3.7.3.
Affected versions: Min -, max -.
Status: vulnerable