Import external attachments Security & Risk Analysis
wordpress.org/plugins/import-external-attachmentsMakes local copies of all the linked images and pdfs in a post, adding them as gallery attachments.
Is Import external attachments Safe to Use in 2026?
High Risk
Score 41/100Import external attachments carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.
The 'import-external-attachments' plugin v1.5.12 exhibits a concerning security posture, primarily due to its significant number of unprotected entry points and a history of unpatched vulnerabilities. While the plugin demonstrates some good practices, such as using prepared statements for all SQL queries and performing some nonce and capability checks, these are overshadowed by critical weaknesses.
The static analysis reveals two AJAX handlers, both lacking authentication checks. This represents a substantial attack surface that could be exploited by unauthenticated users. Furthermore, the taint analysis shows two flows with unsanitized paths, indicating a potential for directory traversal or file manipulation vulnerabilities, even though they are not classified as critical or high severity. The low percentage of properly escaped output (19%) is also a significant concern, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities.
The plugin's vulnerability history is particularly worrying. With two known CVEs that remain unpatched, both classified as medium severity and linked to Missing Authorization and CSRF, it suggests a pattern of recurring security flaws. The most recent vulnerability was dated in the future (2025-12-14), which might be an anomaly in the reporting data, but the existence of unpatched vulnerabilities at all is a severe risk. The combination of unprotected entry points, potential for path manipulation, widespread output unescaping, and unpatched vulnerabilities paints a picture of a plugin that poses a significant risk to WordPress sites.
Key Concerns
- Unprotected AJAX handlers
- Flows with unsanitized paths
- Low percentage of properly escaped output
- Unpatched CVEs (2 medium severity)
- Vulnerability history (Missing Auth, CSRF)
Import external attachments Security Vulnerabilities
CVEs by Year
Severity Breakdown
2 total CVEs
Import external attachments <= 1.5.12 - Missing Authorization
Import external attachments <= 1.5.12 - Cross-Site Request Forgery
Import external attachments Release Timeline
Import external attachments Code Analysis
Output Escaping
Data Flow Analysis
Import external attachments Attack Surface
AJAX Handlers 2
WordPress Hooks 7
Maintenance & Trust
Import external attachments Maintenance & Trust
Maintenance Signals
Community Trust
Import external attachments Alternatives
Lightbox with PhotoSwipe
lightbox-photoswipe
Integration of PhotoSwipe (http://photoswipe.com) for WordPress.
Social Photo Fetcher
facebook-photo-fetcher
Allows you to automatically create Wordpress photo galleries from Facebook albums. Simple to use and highly customizable.
PhotoSwipe
photo-swipe
A very light implementation of PhotoSwipe javascript plugin for WordPress
WoowGallery
woowgallery
Fastest, easiest to use multifunctional image gallery plugin. Create Featured Posts Gallery, Dynamic Content Gallery, Albums!
Fullscreen Galleria
fullscreen-galleria
A simple fullscreen gallery to Wordpress
Import external attachments Developer Profile
1 plugin · 2K total installs
How We Detect Import external attachments
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/import-external-attachments/js/import-external-images.js/wp-content/plugins/import-external-attachments/js/import-external-images.jsimport-external-attachments/js/import-external-images.js?ver=HTML / DOM Fingerprints
external-imagespdf-list<!--
based on Import External Images v1.4 by Marty Thornley
https://github.com/MartyThornley/import-external-images
based on Add Linked Images To Gallery v1.4 by Randy Hunt
http://www.bbqiguana.com/wordpress-plugins/add-linked-images-to-gallery/
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
--><!--
* Meta Boxes for hiding pages from main menu
--><!--
* Handle importing of external image
* Most of this taken from WordPress function 'media_sideload_image'
* @param string $file The URL of the image to download
* @param int $post_id The post ID the media is to be associated with
* @param string $desc Optional. Description of the image
* @return string - just the image url on success, false on failure
-->id="external-images"id="import_external_images_nonce"id="import_external_images"import_external_images_nonce