Does Comments Import & Export have any unpatched vulnerabilities?

No. All known vulnerabilities in Comments Import & Export have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Comments Import & Export compatible with WordPress 6.9.4?

According to WordPress.org data, Comments Import & Export 2.5.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Comments Import & Export compatible with PHP 7.0+?

Comments Import & Export requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Comments Import & Export updated?

Comments Import & Export was last updated on Feb 19, 2026. Frequent updates are generally a positive security signal.

What is Comments Import & Export's security score?

Comments Import & Export has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Comments Import & Export Security & Risk Analysis

wordpress.org/plugins/comments-import-export-woocommerce

WordPress Comments Import Export plugin is a fast way for export and import WordPress Comments.

2K active installs v2.5.0 PHP 7.0+ WP 3.0.1+ Updated Feb 19, 2026

comments-exportcomments-importwordpress-commentswordpress-comments-exportwordpress-comments-import

A · Safe

CVEs total5

Unpatched0

Last CVEJun 2, 2025

Plugin page Download

Safety Verdict

Is Comments Import & Export Safe to Use in 2026?

Generally Safe

Score 96/100

Comments Import & Export has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jun 2, 2025Updated 1mo ago

Risk Assessment

The "comments-import-export-woocommerce" plugin version 2.5.0 presents a mixed security posture. While it demonstrates good practices in many areas, such as a high percentage of SQL queries using prepared statements and properly escaped output, certain aspects raise concerns. The presence of an AJAX handler without authentication checks is a significant risk, creating an immediate attack vector. Furthermore, the use of the `unserialize` function, even once, is inherently dangerous and can lead to severe vulnerabilities if not handled with extreme caution and sanitization, especially if user-supplied data is involved. The vulnerability history shows a concerning pattern of medium-severity vulnerabilities, including Cross-Site Scripting, Path Traversal, CSRF, and Injection. The fact that all previous vulnerabilities are listed as unpatched as of the last recorded date (2025-06-02) further amplifies the risk, suggesting a potential for repeated security oversights. Despite the majority of code signals indicating robust security measures, the identified unprotected entry point and the historical pattern of vulnerabilities require careful consideration and mitigation.

Key Concerns

Unprotected AJAX handler
Presence of unserialize function
Multiple medium CVEs in history
Unpatched vulnerabilities in history

Vulnerabilities

Comments Import & Export Security Vulnerabilities

CVEs by Year

1 CVE in 2018

2018

1 CVE in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-3919medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Comments Import & Export <= 2.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Jun 2, 2025 Patched in 2.4.4 (1d)

CVE-2024-7514medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WordPress Comments Import & Export <= 2.3.7 - Authenticated (Author+) Arbitrary File Read via Directory Traversal

Oct 10, 2024 Patched in 2.3.9 (1d)

CVE-2024-31235medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Comments Import & Export <= 2.3.5 - Cross-Site Request Forgery

Apr 5, 2024 Patched in 2.3.6 (7d)

CVE-2022-45370medium · 6.1Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

WordPress Comments Import & Export <= 2.3.1 - CSV Injection

Feb 6, 2023 Patched in 2.3.2 (351d)

CVE-2018-11526medium · 6.1Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

WordPress Comments Import & Export <= 2.0.4 - CSV Injection

Jun 21, 2018 Patched in 2.0.5 (2042d)

Code Analysis

Analyzed Mar 16, 2026

Comments Import & Export Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

404 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$comment_parent_session = is_string($comment_parent_session) ? unserialize($comment_parent_session) includes\importer\class-hf_cmt_impexpcsv-import.php:1003

Bundled Libraries

Select2

SQL Query Safety

82% prepared11 total queries

Output Escaping

94% escaped428 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

7 flows2 with unsanitized paths

handle_ftp (includes\importer\class-hf_cmt_impexpcsv-import.php:1215)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Comments Import & Export Attack Surface

Entry Points7

Unprotected1

AJAX Handlers 7

authwp_ajax_wcie_wt_review_pluginhf-comments-import-export.php:71

authwp_ajax_wbte_ema_banner_analytics_page_dismissincludes\banner\class-wbte-ema-banner.php:46

authwp_ajax_wbte_sc_hide_promotion_bannerincludes\banner\class-wt-bfcm-twenty-twenty-five.php:93

authwp_ajax_comment_export_to_csv_singleincludes\class-hf_cmt_impexpcsv-admin-screen.php:24

authwp_ajax_product_comments_csv_import_requestincludes\class-hf_cmt_impexpcsv-ajax-handler.php:12

authwp_ajax_cmtimport_submit_uninstall_reasonincludes\class-wf-cmt_impexp-plugin-uninstall-feedback.php:11

authwp_ajax_wt_iew_dismiss_wc_pages_bannerincludes\class-wt-cmt_impexp-plugin-review-request.php:56

WordPress Hooks 36

actionadmin_noticeshf-comments-import-export.php:61

filterwoocommerce_screen_idshf-comments-import-export.php:64

actioninithf-comments-import-export.php:66

actioninithf-comments-import-export.php:67

actionadmin_inithf-comments-import-export.php:68

filteradmin_footer_texthf-comments-import-export.php:70

filterwt_bfcm_banner_screenshf-comments-import-export.php:74

actionin_plugin_update_message-comments-import-export-woocommerce/hf-comments-import-export.phphf-comments-import-export.php:300

actionadmin_enqueue_scriptsincludes\banner\class-wbte-ema-banner.php:44

actionadmin_footerincludes\banner\class-wbte-ema-banner.php:45

actionadmin_initincludes\banner\class-wbte-ema-banner.php:181

actionadmin_enqueue_scriptsincludes\banner\class-wt-bfcm-twenty-twenty-five.php:80

actionadmin_noticesincludes\banner\class-wt-bfcm-twenty-twenty-five.php:83

actionadmin_head-edit.phpincludes\banner\class-wt-bfcm-twenty-twenty-five.php:92

actionadmin_menuincludes\class-hf_cmt_impexpcsv-admin-screen.php:13

actionadmin_print_stylesincludes\class-hf_cmt_impexpcsv-admin-screen.php:14

actionadmin_noticesincludes\class-hf_cmt_impexpcsv-admin-screen.php:15

actionbulk_actions-edit-commentsincludes\class-hf_cmt_impexpcsv-admin-screen.php:17

actionadmin_action_download_to_cmtiew_csv_hfincludes\class-hf_cmt_impexpcsv-admin-screen.php:18

filtermanage_edit-comments_columnsincludes\class-hf_cmt_impexpcsv-admin-screen.php:20

filtermanage_comments_custom_columnincludes\class-hf_cmt_impexpcsv-admin-screen.php:21

filtercron_schedulesincludes\class-hf_cmt_impexpcsv-cron.php:12

actioninitincludes\class-hf_cmt_impexpcsv-cron.php:13

actionhw_cmt_csv_im_ex_auto_export_productsincludes\class-hf_cmt_impexpcsv-cron.php:14

filtercron_schedulesincludes\class-hf_cmt_impexpcsv-import-cron.php:15

actioninitincludes\class-hf_cmt_impexpcsv-import-cron.php:16

actionhw_cmt_csv_im_ex_auto_import_productsincludes\class-hf_cmt_impexpcsv-import-cron.php:17

actionadmin_footerincludes\class-wf-cmt_impexp-plugin-uninstall-feedback.php:10

actionadmin_initincludes\class-wt-cmt_impexp-plugin-review-request.php:52

actionadmin_noticesincludes\class-wt-cmt_impexp-plugin-review-request.php:55

actionadmin_noticesincludes\class-wt-cmt_impexp-plugin-review-request.php:70

actionadmin_print_footer_scriptsincludes\class-wt-cmt_impexp-plugin-review-request.php:71

actioninitincludes\importer\class-hf_cmt_impexpcsv-import.php:111

filterhttp_request_timeoutincludes\importer\class-hf_cmt_impexpcsv-import.php:448

actionwp_logoutincludes\importer\class-hf_cmt_impexpcsv-import.php:1384

actionwp_loginincludes\importer\class-hf_cmt_impexpcsv-import.php:1385

Scheduled Events 2

hw_cmt_csv_im_ex_auto_export_products

hw_cmt_csv_im_ex_auto_import_products

Maintenance & Trust

Comments Import & Export Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 19, 2026

PHP min version7.0

Downloads120K

Community Trust

Rating98/100

Number of ratings68

Active installs2K

Alternatives

Comments Import & Export Alternatives

Social comments by WpDevArt

comments-from-facebook

100

This plugin will help you display Facebook Comments on your website. You can use it on your pages/posts.

9K 1 CVE

Lazy Load for Comments

lazy-load-for-comments

100

Lazy load default WordPress commenting system on scroll or click. Improve page speed.

2K No CVEs

Spam Comments Cleaner

spam-comments-cleaner

Delete all the SPAM comments of your WordPress site in a regular time interval. To start the scheduled script this plugin using wp_cron hook.

1K No CVEs

CIO Custom Fields Importer

custom-fields-csv-xml-importer

Simple, easy, fast and flexible, this add-on to WP All Import processes large data sets from any XML or CSV files to any contents.

500 No CVEs

WP Comment Notification

wp-comment-notification

Send email notification to predefined email ids when someone comments on your blog.

500 No CVEs

Developer Profile

Comments Import & Export Developer Profile

WebToffee

17 plugins · 377K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

155 days

View full developer profile

Detection Fingerprints

How We Detect Comments Import & Export

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/comments-import-export-woocommerce/assets/css/admin.css/wp-content/plugins/comments-import-export-woocommerce/assets/js/admin.js

Script Paths

/wp-content/plugins/comments-import-export-woocommerce/assets/js/admin.js

Version Parameters

comments-import-export-woocommerce/assets/css/admin.css?ver=comments-import-export-woocommerce/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cmt-deactivate-link

JS Globals

HW_CMT_ImpExpCsv_FILE

FAQ

Comments Import & Export Security & Risk Analysis

Is Comments Import & Export Safe to Use in 2026?

Generally Safe

Key Concerns

Comments Import & Export Security Vulnerabilities

CVEs by Year

Severity Breakdown

Comments Import & Export Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Comments Import & Export Attack Surface

AJAX Handlers 7

Scheduled Events 2

Comments Import & Export Maintenance & Trust

Maintenance Signals

Community Trust

Comments Import & Export Alternatives

Social comments by WpDevArt

Lazy Load for Comments

Spam Comments Cleaner

CIO Custom Fields Importer

WP Comment Notification

Comments Import & Export Developer Profile

How We Detect Comments Import & Export

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Comments Import & Export