WP-Safety

Catch Import Export Security & Risk Analysis

wordpress.org/plugins/catch-import-export

Catch Import Export is a simple and easy-to-use import-export plugin that addresses the need for importing and exporting of customizer settings from a …

30 active installs v2.3.1 PHP + WP 5.9+ Updated Feb 25, 2026
customizercustomizer-exportcustomizer-importexportimport
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Catch Import Export Safe to Use in 2026?

Generally Safe

Score 100/100

Catch Import Export has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "catch-import-export" v2.3.1 plugin exhibits a generally strong security posture, primarily due to robust implementation of security best practices. The static analysis reveals a well-controlled attack surface with no unprotected entry points, indicating that all AJAX handlers, REST API routes, shortcodes, and cron events are appropriately secured. Furthermore, the plugin demonstrates excellent output sanitization, with 99% of outputs properly escaped, and consistently uses prepared statements for its SQL queries, which is a critical defense against SQL injection vulnerabilities. The presence of nonces and capability checks on its entry points further strengthens its security.

Despite the overall good security practices, there is one significant concern flagged by the static analysis: the use of the `unserialize` function. While the taint analysis did not reveal any exploitable unsanitized paths or critical/high severity flows, the inherent risks associated with `unserialize` cannot be ignored. If serialized data originates from an untrusted source and is not rigorously validated before unserialization, it can lead to Remote Code Execution (RCE) vulnerabilities. The plugin's vulnerability history is notably clean, with no recorded CVEs, which is a positive indicator. However, this clean history, coupled with the presence of `unserialize`, suggests that this specific risk might not have been triggered in past scenarios or may not have been publicly disclosed.

In conclusion, "catch-import-export" v2.3.1 is a secure plugin in most aspects, adhering to modern WordPress security standards. The lack of historical vulnerabilities and the strong implementation of authentication and sanitization are commendable. The sole point of concern is the `unserialize` function, which, while not currently showing exploitable flows, represents a potential attack vector if external data is handled without extreme caution. Users should remain vigilant about the source of data processed by this function.

Key Concerns

  • Use of unserialize function
Vulnerabilities
None known

Catch Import Export Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Catch Import Export Release Timeline

v2.3.1Current
v2.3
v2.2.3
v2.2.2
v2.2.1
v2.2
v2.1
v2.0
v1.9
v1.8
v1.7
v1.6
v1.5
v1.4
v1.3
v1.2
v1.1
v1.0.1
Code Analysis
Analyzed Apr 16, 2026

Catch Import Export Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
1
117 escaped
Nonce Checks
4
Capability Checks
10
File Operations
1
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = @unserialize($raw);admin/class-catch-import-export-admin.php:359

Output Escaping

99% escaped118 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
_import (admin/class-catch-import-export-admin.php:315)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Catch Import Export Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_query-themesincludes/CatchThemesThemePlugin.php:11
authwp_ajax_customize_load_themesincludes/CatchThemesThemePlugin.php:21
authwp_ajax_ctp_switchincludes/ctp-tabs-removal.php:99
WordPress Hooks 15
actionadmin_enqueue_scriptsincludes/CatchThemesThemePlugin.php:13
actioncustomize_registerincludes/CatchThemesThemePlugin.php:16
filterinstall_plugins_tabsincludes/CatchThemesThemePlugin.php:23
filterinstall_plugins_table_api_args_catchpluginsincludes/CatchThemesThemePlugin.php:24
actioninstall_plugins_catchpluginsincludes/CatchThemesThemePlugin.php:25
actionplugins_loadedincludes/class-catch-import-export.php:124
actionadmin_enqueue_scriptsincludes/class-catch-import-export.php:139
actionadmin_enqueue_scriptsincludes/class-catch-import-export.php:140
actioncustomize_controls_print_scriptsincludes/class-catch-import-export.php:141
actionadmin_menuincludes/class-catch-import-export.php:142
actioncustomize_registerincludes/class-catch-import-export.php:143
actioncustomize_registerincludes/class-catch-import-export.php:144
filterplugin_action_linksincludes/class-catch-import-export.php:145
filterplugin_row_metaincludes/class-catch-import-export.php:146
actionadmin_initincludes/ctp-tabs-removal.php:18
Maintenance & Trust

Catch Import Export Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 25, 2026
PHP min version
Downloads5K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Alternatives

Catch Import Export Alternatives

Customizer Export/Import

Customizer Export/Import

customizer-export-import

A
96

Easily export or import your WordPress customizer settings!

100K 3 CVEs
Customizer Reset – Export & Import

Customizer Reset – Export & Import

customizer-reset

A
100

Reset, export, and import your WordPress Customizer settings with just one click of a button.

1K No CVEs
Customizer EX

Customizer EX

customizer-ex

A
85

Simple Export and Import Customizer settings

0 No CVEs
Advanced Import: One-Click Demo Import for WordPress

Advanced Import: One-Click Demo Import for WordPress

advanced-import

A
99

Advanced Import simplifies importing demo data for WordPress sites, enabling users to import posts, pages, media, widgets, customizer settings, and Gu …

90K 1 CVE
Import / Export Customizer Settings

Import / Export Customizer Settings

astra-import-export

A
100

Astra theme customizer offers several settings for header/footer layout, sidebar and blog designs, colors, backgrounds, typography and much more.

50K 1 CVE
Developer Profile

Catch Import Export Developer Profile

Catch Themes

156 plugins · 226K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
251 days
View full developer profile
Detection Fingerprints

How We Detect Catch Import Export

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/catch-import-export/admin/css/admin-dashboard.css/wp-content/plugins/catch-import-export/admin/css/customizer.css/wp-content/plugins/catch-import-export/admin/js/catch-import-export-admin.js/wp-content/plugins/catch-import-export/admin/js/customizer.js/wp-content/plugins/catch-import-export/admin/js/jquery-matchHeight.min.js
Script Paths
/wp-content/plugins/catch-import-export/admin/js/catch-import-export-admin.js/wp-content/plugins/catch-import-export/admin/js/customizer.js/wp-content/plugins/catch-import-export/admin/js/jquery-matchHeight.min.js
Version Parameters
catch-import-export/admin/css/admin-dashboard.css?ver=catch-import-export/admin/css/customizer.css?ver=catch-import-export/admin/js/catch-import-export-admin.js?ver=catch-import-export/admin/js/customizer.js?ver=catch-import-export/admin/js/jquery-matchHeight.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
catch-import-export-wrap
JS Globals
CIEConfigCIEl10n
FAQ

Frequently Asked Questions about Catch Import Export