Does Import from YML have any unpatched vulnerabilities?

No. All known vulnerabilities in Import from YML have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Import from YML compatible with WordPress 6.9.4?

According to WordPress.org data, Import from YML 4.3.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Import from YML compatible with PHP 7.4.0+?

Import from YML requires PHP 7.4.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Import from YML updated?

Import from YML was last updated on Feb 26, 2026. Frequent updates are generally a positive security signal.

What is Import from YML's security score?

Import from YML has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Import from YML Security Review — Score 99/100 (safe)

Safety Verdict

Is Import from YML Safe to Use in 2026?

Generally Safe

Score 99/100

Import from YML has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 14, 2025Updated 1mo ago

Risk Assessment

The "import-from-yml" plugin v4.3.0 presents a mixed security posture. While it demonstrates good practices like consistently using prepared statements for SQL queries and a high percentage of properly escaped output, several concerning aspects emerge from the static analysis. The presence of an AJAX handler without authentication checks, coupled with two instances of the dangerous `unserialize` function, significantly broadens the attack surface. The taint analysis indicates potential issues with unsanitized paths, although no critical or high severity flows were detected in this specific scan.

The plugin's vulnerability history shows one previously recorded medium severity CVE, specifically related to Cross-site Scripting. The fact that this vulnerability is currently unpatched and its relatively recent discovery (2025-04-14) suggests a potential for recurring or similar vulnerabilities if not addressed proactively. While the current scan doesn't flag critical code execution paths, the combination of an unprotected entry point and the `unserialize` function creates a substantial risk if an attacker can influence the data being unserialized.

In conclusion, "import-from-yml" v4.3.0 has strengths in its database query handling and output sanitization. However, the unprotected AJAX endpoint and the use of `unserialize` are significant weaknesses that introduce considerable risk. The past medium severity XSS vulnerability also warrants attention, indicating a need for ongoing vigilance and thorough auditing, especially concerning user-supplied data that might be unserialized.

Key Concerns

AJAX handler without auth checks
Dangerous function: unserialize
Flows with unsanitized paths
Medium severity CVE (unpatched)

Vulnerabilities

1

Import from YML Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1

1 total CVE

CVE-2025-64232medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import from YML <= 3.1.17 - Reflected Cross-Site Scripting

Apr 14, 2025 Patched in 4.0.0 (212d)

Code Analysis

Analyzed Mar 16, 2026

Import from YML Code Analysis

Dangerous Functions

2

Raw SQL Queries

0

0 prepared

Unescaped Output

4

151 escaped

Nonce Checks

8

Capability Checks

2

File Operations

26

External Requests

5

Bundled Libraries

1

Dangerous Functions Found

unserializereturn unserialize( $result_serialized_string );includes\import\class-ipytw-import-xml.php:921

unserializereturn unserialize( 'a:0:{}' );includes\import\class-ipytw-import-xml.php:939

Bundled Libraries

Select2

Output Escaping

97% escaped155 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

11 flows5 with unsanitized paths

save_plugin_set (admin\class-ipytw-admin.php:631)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Import from YML Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_ipytw_select2includes\class-ipytw.php:266

WordPress Hooks 35

actionadmin_noticesimport-from-yml.php:152

actionadmin_noticesimport-from-yml.php:172

actionbefore_woocommerce_initimport-from-yml.php:184

actionshutdownincludes\class-ipytw-autoloader.php:96

actionplugins_loadedincludes\class-ipytw.php:202

actionadmin_enqueue_scriptsincludes\class-ipytw.php:219

actionadmin_enqueue_scriptsincludes\class-ipytw.php:220

actioninitincludes\class-ipytw.php:223

actionadmin_footerincludes\class-ipytw.php:226

actionadmin_menuincludes\class-ipytw.php:234

actionadmin_initincludes\class-ipytw.php:237

actionwoocommerce_product_options_general_product_dataincludes\class-ipytw.php:240

actionwoocommerce_product_options_inventory_product_dataincludes\class-ipytw.php:245

actionadmin_initincludes\class-ipytw.php:252

filteripytw_f_flag_save_if_emptyincludes\class-ipytw.php:255

actionipytw_f_feedback_additional_infoincludes\class-ipytw.php:273

actionupload_mimesincludes\class-ipytw.php:276

actioncron_schedulesincludes\class-ipytw.php:279

actionipytw_cron_start_feed_creationincludes\class-ipytw.php:282

actionipytw_cron_sborkiincludes\class-ipytw.php:285

actionrestrict_manage_postsincludes\class-ipytw.php:288

actionrequestincludes\class-ipytw.php:289

actionwp_enqueue_scriptsincludes\class-ipytw.php:306

actionwp_enqueue_scriptsincludes\class-ipytw.php:307

actionadmin_print_footer_scriptsincludes\common-libs\class-icpd-promo.php:145

actionadmin_noticesincludes\common-libs\class-icpd-set-admin-notices.php:68

actionadmin_print_footer_scriptsincludes\feedback\class-ipytw-feedback.php:83

actionadmin_initincludes\feedback\class-ipytw-feedback.php:90

filterwp_mail_content_typeincludes\feedback\class-ipytw-feedback.php:275

actionipytw_activation_formsincludes\updates\class-ipytw-plugin-form-activate.php:112

filterpre_site_transient_update_pluginsincludes\updates\class-ipytw-plugin-form-activate.php:260

filterpre_set_site_transient_update_pluginsincludes\updates\class-ipytw-plugin-upd.php:136

filterplugins_apiincludes\updates\class-ipytw-plugin-upd.php:138

filterupgrader_package_optionsincludes\updates\class-ipytw-plugin-upd.php:140

filterplugin_action_linksincludes\updates\class-ipytw-plugin-upd.php:141

Scheduled Events 2

ipytw_cron_start_feed_creation

ipytw_cron_sborki

Maintenance & Trust

Import from YML Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 26, 2026

PHP min version7.4.0

Downloads25K

Community Trust

Rating96/100

Number of ratings12

Active installs500

Alternatives

Import from YML Alternatives

YML for Yandex Market

yml-for-yandex-market

A

98

Creates a YML-feed to upload to Yandex Market and not only.

10K 3 CVEs

Market Exporter

market-exporter

A

96

Плагин для экспорта товарных предложений из WooCommerce в YML файл для Яндекс Маркет.

1K 3 CVEs

Import Products to Yandex

wc-import-yandex

A

100

Exports products from your online store to Yandex Market. Helps to increase sales.

20 No CVEs

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A

94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, …

90K 7 CVEs

Order Export & Order Import for WooCommerce

order-import-export-for-woocommerce

A

90

The best order export import plugin for WooCommerce. Easily import and export WooCommerce orders and WooCommerce coupons using CSV.

60K 7 CVEs

Developer Profile

Import from YML Developer Profile

icopydoc

14 plugins · 16K total installs

75

trust score

Avg Security Score

94/100

Avg Patch Time

102 days

View full developer profile

Detection Fingerprints

How We Detect Import from YML

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/import-from-yml/build/css/app.css/wp-content/plugins/import-from-yml/build/js/app.js

Script Paths

/wp-content/plugins/import-from-yml/build/js/app.js

Version Parameters

import-from-yml/build/css/app.css?ver=import-from-yml/build/js/app.js?ver=

HTML / DOM Fingerprints

FAQ

Import from YML Security & Risk Analysis

Is Import from YML Safe to Use in 2026?

Generally Safe

Key Concerns

Import from YML Security Vulnerabilities

CVEs by Year

Severity Breakdown

Import from YML Code Analysis

Dangerous Functions Found

Bundled Libraries

Output Escaping

Data Flow Analysis

Import from YML Attack Surface

AJAX Handlers 1

Scheduled Events 2

Import from YML Maintenance & Trust

Maintenance Signals

Community Trust

Import from YML Alternatives

YML for Yandex Market

Market Exporter

Import Products to Yandex

Product Import Export for WooCommerce – Import Export Product CSV Suite

Order Export & Order Import for WooCommerce

Import from YML Developer Profile

How We Detect Import from YML

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Import from YML