cleantalk
Vulnerabilities and Security Researches

Import any XML or CSV File to WordPress, CVE-2024-9661

CVE, Research URL

CVE-2024-9661

Home page URL

Security reports for Import any XML or CSV File to WordPress

Application

Import any XML or CSV File to WordPress

Published on
Feb 07, 2025
Research Description
The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 3.8.0.
Status
vulnerable
Previous vulnerability researches
Import any XML or CSV File to WordPress (CVE-2018-0547) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-2268) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-36386) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-3418) , Jun 07, 2024
Import any XML or CSV File to WordPress (CVE-2022-2711) , Jun 07, 2024
New vulnerability
Genealogical Tree – WordPress Family Tree (CVE-2025-58023) , Oct 12, 2025
WPB Quick View Popup for WooCommerce – Display Product Informations in Popup on Button Click (CVE-2025-57967) , Oct 12, 2025
Mixtape (CVE-2025-9860) , Oct 12, 2025
Advanced Settings (CVE-2025-58996) , Oct 12, 2025
FancyTabs (CVE-2025-8560) , Oct 12, 2025