WP-Safety

Import and export users and customers Security & Risk Analysis

wordpress.org/plugins/import-users-from-csv-with-meta

Import and export users and customers including user meta, roles, and other. Compatible with many plugins. Do it from the front end or using cron.

80K active installs v1.29.7 PHP + WP 3.4+ Updated Dec 3, 2025
csvexportexporterimportimporter
93
A · Safe
CVEs total20
Unpatched0
Last CVEJan 27, 2025
Plugin page Download
Safety Verdict

Is Import and export users and customers Safe to Use in 2026?

Generally Safe

Score 93/100

Import and export users and customers has a strong security track record. Known vulnerabilities have been patched promptly.

20 known CVEsLast CVE: Jan 27, 2025Updated 4mo ago
Risk Assessment

The "import-users-from-csv-with-meta" v2.0 plugin exhibits a mixed security posture. While the static analysis shows a good number of entry points are protected by authorization and nonce checks, several concerning code signals and historical vulnerability patterns warrant careful consideration. The presence of the "unserialize" function, even if not directly flagged as a critical taint flow, is a known risk for deserialization vulnerabilities if user-supplied data is ever passed to it without strict validation. The taint analysis revealing a high severity flow with unsanitized paths indicates a potential for serious security issues like path traversal or file inclusion if this flow is exploitable by an attacker.

The plugin's vulnerability history is a significant concern. With a total of 20 known CVEs, including a substantial number of high-severity issues, it suggests a recurring pattern of introducing security flaws. The breadth of vulnerability types, from sensitive information exposure and XSS to deserialization, RFI, and path traversal, points to a need for more robust secure coding practices throughout its development lifecycle. Although there are currently no unpatched CVEs, the sheer volume and variety of past vulnerabilities create an inherent risk and require vigilant monitoring and timely updates. The plugin's strengths lie in its protected entry points, but the identified code signals and historical context necessitate a cautious approach.

Key Concerns

  • High severity taint flow found
  • Use of 'unserialize' function
  • Significant historical CVEs (20)
  • Multiple high severity past CVEs (6)
  • Many medium severity past CVEs (14)
  • Low percentage of properly escaped output (62%)
  • Unsanitized paths in taint flows (2)
Vulnerabilities
20

Import and export users and customers Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
5 CVEs in 2019
2019
2 CVEs in 2020
2020
2 CVEs in 2022
2022
2 CVEs in 2023
2023
7 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
6
Medium
14

20 total CVEs

CVE-2025-24689medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Import and export users and customers <= 1.27.12 - Unauthenticated Sensitive Information Disclosure

Jan 27, 2025 Patched in 1.27.13 (8d)
CVE-2024-50413medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.27.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 24, 2024 Patched in 1.27.6 (8d)
CVE-2024-38787medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Import and export users and customers <= 1.26.8 - Unauthenticated Information Exposure

Aug 7, 2024 Patched in 1.26.9 (8d)
CVE-2024-4734medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.26.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 14, 2024 Patched in 1.26.7 (1d)
CVE-2024-4656medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.26.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 14, 2024 Patched in 1.26.7 (1d)
CVE-2024-1050medium · 4.3Missing Authorization

Import and export users and customers <= 1.26.5 - Missing Authorization

May 3, 2024 Patched in 1.26.6 (13d)
CVE-2024-32817high · 7.2Deserialization of Untrusted Data

Import and export users and customers <= 1.26.2 - Authenticated (Admin+) PHP Object Injection

Apr 22, 2024 Patched in 1.26.3 (8d)
CVE-2024-22151medium · 5.3Missing Authorization

Import and export users and customers <= 1.24.6 - Missing Authorization via fire_cron REST endpoint

Jan 16, 2024 Patched in 1.24.7 (7d)
CVE-2023-6624medium · 4.9Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.24.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Dec 11, 2023 Patched in 1.24.4 (232d)
CVE-2023-6583medium · 6.6Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Import and export users and customers <= 1.24.2 - Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality

Dec 8, 2023 Patched in 1.24.3 (235d)
CVE-2022-3558high · 8Improper Neutralization of Formula Elements in a CSV File

Import and export users and customers <= 1.20.4 - Authenticated (Subscriber+) CSV Injection

Oct 17, 2022 Patched in 1.20.5 (463d)
CVE-2022-1255medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.19.2 - Stored Cross-Site Scripting

Apr 11, 2022 Patched in 1.19.2.1 (652d)
CVE-2020-22277high · 7.3Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Import and export users and customers <= 1.16.3.5 - CSV injection via a customer's profile

Nov 20, 2020 Patched in 1.16.3.6 (1159d)
WF-e46ff294-0be1-47c1-8c21-f6242c6f832a-import-users-from-csv-with-metahigh · 7.7Improper Privilege Management

Import and export users and customers 1.15 - Sensitive Data Exposure

Jan 1, 2020 Patched in 1.15.0.1 (1483d)
CVE-2019-14683medium · 6.3Cross-Site Request Forgery (CSRF)

Import and export users and customers <= 1.14.1.3 - Cross-Site Request Forgery leading to attachment deletion & Path Traversal

Jun 22, 2019 Patched in 1.14.2.2 (1676d)
CVE-2019-15326high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Import and export users and customers <= 1.14.2.1 - Directory Traversal

Jun 20, 2019 Patched in 1.14.2.2 (1678d)
CVE-2019-15327medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.14.1.2 - Cross-Site Scripting

Jun 20, 2019 Patched in 1.14.1.3 (1678d)
CVE-2019-15328medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import and export users and customers <= 1.14.0.2 - Cross-Site Scripting

Mar 14, 2019 Patched in 1.14.0.3 (1776d)
CVE-2019-15329high · 8.8Cross-Site Request Forgery (CSRF)

Import and export users and customers <= 1.14.0.2 - Cross-Site Request Forgery

Mar 14, 2019 Patched in 1.14.0.3 (1776d)
CVE-2018-20101medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import users from CSV with meta <= 1.12 - Import Cross-Site Scripting

Dec 11, 2018 Patched in 1.12.1 (1869d)
Code Analysis
Analyzed Mar 16, 2026

Import and export users and customers Code Analysis

Dangerous Functions
3
Raw SQL Queries
6
30 prepared
Unescaped Output
92
150 escaped
Nonce Checks
23
Capability Checks
15
File Operations
21
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize( is_array( $value ) || ( is_string( $value ) && is_array( @unserialize( $value, array( 'allowed_claclasses\batch_exporter.php:674
unserialize$value_array = is_serialized( $value ) ? unserialize( $value, array( 'allowed_classes' => false ) ) classes\batch_exporter.php:678
unserialize$data[$i] = @unserialize( trim( $data[$i] ), array( 'allowed_classes' => false ) );classes\import.php:332

SQL Query Safety

83% prepared36 total queries

Output Escaping

62% escaped242 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
ajax_import_users_batch (classes\import.php:749)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Import and export users and customers Attack Surface

Entry Points18
Unprotected0

AJAX Handlers 14

authwp_ajax_acui_fire_cronclasses\cron.php:10
authwp_ajax_acui_delete_attachmentclasses\csv-uploaded.php:10
authwp_ajax_acui_bulk_delete_attachmentclasses\csv-uploaded.php:11
authwp_ajax_acui_mail_options_remove_attachmentclasses\email-options.php:7
authwp_ajax_acui_send_test_emailclasses\email-options.php:8
authwp_ajax_acui_refresh_enable_email_templatesclasses\email-templates.php:8
authwp_ajax_acui_email_template_selectedclasses\email-templates.php:9
authwp_ajax_acui_export_users_csvclasses\export.php:13
authwp_ajax_acui_export_save_settingsclasses\export.php:14
authwp_ajax_acui_force_reset_password_delete_metasclasses\force-reset-password.php:15
authwp_ajax_acui_delete_users_assign_posts_dataclasses\homepage.php:11
authwp_ajax_acui_import_users_batchclasses\import.php:7
authwp_ajax_acui_delete_attachmentclasses\tools.php:10
authwp_ajax_acui_bulk_delete_attachmentclasses\tools.php:11

REST API Routes 1

GET/wp-json/import-users-from-csv-with-meta/v1/execute-cron/classes\rest-api.php:11

Shortcodes 3

[import-users-from-csv-with-meta] classes\frontend.php:11
[import-users] classes\frontend.php:12
[export-users] classes\frontend.php:13
WordPress Hooks 155
filteracui_restricted_fieldsaddons\advanced-custom-fields.php:11
filteracui_not_meta_fieldsaddons\advanced-custom-fields.php:12
actionacui_documentation_after_plugins_activatedaddons\advanced-custom-fields.php:13
actionacui_post_import_single_useraddons\advanced-custom-fields.php:14
filteracui_export_columnsaddons\advanced-custom-fields.php:15
filteracui_export_dataaddons\advanced-custom-fields.php:16
actionacui_tab_import_before_import_buttonaddons\allow-multiple-accounts.php:11
actionacui_tab_cron_before_logaddons\allow-multiple-accounts.php:12
filteracui_restricted_fieldsaddons\buddypress.php:30
actionacui_documentation_after_plugins_activatedaddons\buddypress.php:31
filteracui_export_columnsaddons\buddypress.php:32
filteracui_export_dataaddons\buddypress.php:33
actionacui_post_import_single_useraddons\buddypress.php:34
actionacui_post_import_single_useraddons\buddypress.php:35
filteracui_restricted_fieldsaddons\customer-area.php:11
actionacui_documentation_after_plugins_activatedaddons\customer-area.php:12
actionacui_post_import_single_useraddons\customer-area.php:13
filteracui_restricted_fieldsaddons\groups.php:11
actionacui_documentation_after_plugins_activatedaddons\groups.php:12
actionacui_post_import_single_useraddons\groups.php:13
actionacui_post_import_single_useraddons\groups.php:14
filteracui_restricted_fieldsaddons\indeed-ultimate-membership-pro.php:11
actionacui_documentation_after_plugins_activatedaddons\indeed-ultimate-membership-pro.php:12
actionacui_post_import_single_useraddons\indeed-ultimate-membership-pro.php:13
filteracui_restricted_fieldsaddons\learndash.php:10
actionacui_documentation_after_plugins_activatedaddons\learndash.php:11
filteracui_restricted_fieldsaddons\mailpoet.php:9
actionacui_documentation_after_plugins_activatedaddons\mailpoet.php:10
actionacui_post_import_single_useraddons\mailpoet.php:11
actionacui_documentation_after_plugins_activatedaddons\melapress-login-security.php:13
actionacui_post_import_single_useraddons\melapress-login-security.php:14
actionacui_tab_import_before_import_buttonaddons\new-user-approve.php:9
actionacui_post_import_single_useraddons\new-user-approve.php:32
filteracui_restricted_fieldsaddons\paid-member-subscriptions.php:10
actionacui_documentation_after_plugins_activatedaddons\paid-member-subscriptions.php:11
actionacui_post_import_single_useraddons\paid-member-subscriptions.php:12
filteracui_restricted_fieldsaddons\pmpro.php:12
actionacui_documentation_after_plugins_activatedaddons\pmpro.php:13
actionacui_post_import_single_useraddons\pmpro.php:14
filteracui_restricted_fieldsaddons\pmpro_v3.php:40
actionacui_documentation_after_plugins_activatedaddons\pmpro_v3.php:41
actionacui_post_import_single_useraddons\pmpro_v3.php:42
filteracui_restricted_fieldsaddons\users-group.php:9
actionacui_documentation_after_plugins_activatedaddons\users-group.php:10
actionacui_post_import_single_useraddons\users-group.php:11
filteracui_restricted_fieldsaddons\woocommerce-custom-fields.php:11
filteracui_not_meta_fieldsaddons\woocommerce-custom-fields.php:12
actionacui_documentation_after_plugins_activatedaddons\woocommerce-custom-fields.php:13
actionacui_post_import_single_useraddons\woocommerce-custom-fields.php:14
filteracui_restricted_fieldsaddons\woocommerce-membership-rightpress.php:9
actionacui_documentation_after_plugins_activatedaddons\woocommerce-membership-rightpress.php:10
actionacui_post_import_single_useraddons\woocommerce-membership-rightpress.php:11
filteracui_restricted_fieldsaddons\woocommerce-membership.php:9
actionacui_documentation_after_plugins_activatedaddons\woocommerce-membership.php:10
actionacui_post_import_single_useraddons\woocommerce-membership.php:11
filteracui_restricted_fieldsaddons\woocommerce-subscriptions.php:13
actionacui_header_table_extra_rowsaddons\woocommerce-subscriptions.php:14
actionacui_documentation_after_plugins_activatedaddons\woocommerce-subscriptions.php:15
actionafter_acui_import_usersaddons\woocommerce-subscriptions.php:16
actionacui_post_import_single_useraddons\woocommerce-subscriptions.php:17
filterwoocommerce_can_subscription_be_updated_to_cancelledaddons\woocommerce-subscriptions.php:384
filterwoocommerce_can_subscription_be_updated_to_pending-canceladdons\woocommerce-subscriptions.php:385
filteracui_restricted_fieldsaddons\woocommerce.php:14
actionacui_documentation_after_plugins_activatedaddons\woocommerce.php:15
actionacui_post_import_single_useraddons\woocommerce.php:16
actionafter_acui_import_usersaddons\woocommerce.php:17
filteracui_import_email_body_before_wpautopaddons\woocommerce.php:18
actionacui_email_wildcards_list_elementsaddons\woocommerce.php:19
filteracui_force_reset_password_edit_profile_urladdons\woocommerce.php:20
filteracui_force_reset_password_redirect_conditionaddons\woocommerce.php:21
actionwp_headaddons\woocommerce.php:22
actionwoocommerce_save_account_detailsaddons\woocommerce.php:23
filteracui_restricted_fieldsaddons\wp-access-area.php:14
actionacui_post_import_single_useraddons\wp-access-area.php:15
filteracui_restricted_fieldsaddons\wp-lms-course.php:11
actionacui_documentation_after_plugins_activatedaddons\wp-lms-course.php:12
actionacui_post_import_single_useraddons\wp-lms-course.php:13
actionacui_tab_import_before_import_buttonaddons\wp-members.php:9
actionacui_tab_frontend_before_save_buttonaddons\wp-members.php:33
actionacui_post_import_single_useraddons\wp-members.php:56
filteracui_restricted_fieldsaddons\wp-private-content-plus.php:13
filteracui_export_columnsaddons\wp-private-content-plus.php:14
filteracui_export_dataaddons\wp-private-content-plus.php:15
actionacui_post_import_single_useraddons\wp-private-content-plus.php:16
filteracui_restricted_fieldsaddons\wp-user-avatar.php:18
actionacui_documentation_after_plugins_activatedaddons\wp-user-avatar.php:19
actionacui_post_import_single_useraddons\wp-user-avatar.php:20
filteracui_export_columnsaddons\wp-user-avatar.php:21
filteracui_export_dataaddons\wp-user-avatar.php:22
filteracui_force_reset_password_edit_profile_urladdons\wp-user-manager.php:10
filteracui_force_reset_password_redirect_conditionaddons\wp-user-manager.php:11
actionwpum_account_page_contentaddons\wp-user-manager.php:12
actionwpum_after_user_password_recoveryaddons\wp-user-manager.php:13
actionwpum_account_page_contentaddons\wp-user-manager.php:14
filteracui_restricted_fieldsaddons\wp-users-group.php:9
actionacui_documentation_after_plugins_activatedaddons\wp-users-group.php:10
actionacui_post_import_single_useraddons\wp-users-group.php:11
filteracui_import_email_body_sourceaddons\wpml.php:14
filteracui_import_email_subject_sourceaddons\wpml.php:15
actionacui_post_import_single_useraddons\wpum-groups.php:14
filteracui_restricted_fieldsclasses\actions.php:14
actionacui_documentation_after_plugins_activatedclasses\actions.php:15
actionacui_post_import_single_userclasses\actions.php:21
filteracui_export_columnsclasses\batch_exporter.php:35
filteracui_export_dataclasses\batch_exporter.php:36
filteracui_export_dataclasses\batch_exporter.php:37
filteracui_export_dataclasses\batch_exporter.php:38
actionacui_columns_save_settingsclasses\columns.php:8
actionuser_new_formclasses\columns.php:11
actionshow_user_profileclasses\columns.php:12
actionedit_user_profileclasses\columns.php:13
actionuser_registerclasses\columns.php:14
actionpersonal_options_updateclasses\columns.php:15
actionedit_user_profile_updateclasses\columns.php:16
actionacui_cron_save_settingsclasses\cron.php:7
actionacui_cron_processclasses\cron.php:8
actionacui_cron_process_stepclasses\cron.php:9
actionadmin_enqueue_scriptsclasses\email-options.php:6
actionacui_homepage_startclasses\email-options.php:9
actionacui_mail_options_save_settingsclasses\email-options.php:10
filterwp_kses_allowed_htmlclasses\email-options.php:164
actionwp_loadedclasses\email-templates.php:6
actionedit_form_after_editorclasses\email-templates.php:7
actionadd_meta_boxesclasses\email-templates.php:10
actionsave_postclasses\email-templates.php:11
actionacui_email_options_after_editorclasses\email-templates.php:12
actioninitclasses\export.php:11
actionadmin_initclasses\export.php:12
actionacui_post_import_single_userclasses\force-reset-password.php:10
actionpersonal_options_updateclasses\force-reset-password.php:11
actiontemplate_redirectclasses\force-reset-password.php:12
actioncurrent_screenclasses\force-reset-password.php:13
actionadmin_noticesclasses\force-reset-password.php:14
actionacui_frontend_save_settingsclasses\frontend.php:9
actionacui_post_frontend_importclasses\frontend.php:10
filtersend_email_change_emailclasses\helper.php:576
filtersend_password_change_emailclasses\helper.php:577
actionadmin_enqueue_scriptsclasses\homepage.php:10
filterpre_acui_import_single_user_usernameclasses\import-filters.php:9
filteracui_restricted_fieldsclasses\multisite.php:13
actionacui_documentation_after_plugins_activatedclasses\multisite.php:14
actionacui_post_import_single_userclasses\multisite.php:15
filteracui_email_apply_wildcardsclasses\multisite.php:16
actionacui_email_wildcards_list_elementsclasses\multisite.php:17
actionrest_api_initclasses\rest-api.php:7
actionadmin_initclasses\wp-importer.php:7
actionexport_filtersclasses\wp-importer.php:8
actionbp_initimport-users-from-csv-with-meta.php:35
actionadmin_menuimport-users-from-csv-with-meta.php:46
actionadmin_enqueue_scriptsimport-users-from-csv-with-meta.php:47
filterplugin_action_linksimport-users-from-csv-with-meta.php:48
filterplugin_row_metaimport-users-from-csv-with-meta.php:49
filterwp_check_filetype_and_extimport-users-from-csv-with-meta.php:50
actioninitimport-users-from-csv-with-meta.php:174
actionplugins_loadedimport-users-from-csv-with-meta.php:176
Maintenance & Trust

Import and export users and customers Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version
Downloads5.5M

Community Trust

Rating94/100
Number of ratings253
Active installs80K
Alternatives

Import and export users and customers Alternatives

Widget Importer & Exporter

Widget Importer & Exporter

widget-importer-exporter

A
100

Import and export your widgets.

200K No CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
WP Options Importer

WP Options Importer

options-importer

A
85

Export and import WordPress Options.

7K No CVEs
Spots Import/Export

Spots Import/Export

spots-importexport

A
100

** NOTE I have not had a use case for this plugin for a couple years. Keeping it for posterity here. If you would like to take over development let me &hellip;

10 No CVEs
Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
Developer Profile

Import and export users and customers Developer Profile

Javier Carazo

3 plugins · 81K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
737 days
View full developer profile
Detection Fingerprints

How We Detect Import and export users and customers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/import-users-from-csv-with-meta/assets/style.css/wp-content/plugins/import-users-from-csv-with-meta/assets/script.js
Script Paths
//cdn.datatables.net/2.2.2/js/dataTables.min.js
Version Parameters
import-users-from-csv-with-meta/assets/style.css?ver=import-users-from-csv-with-meta/assets/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
acui-field
Data Attributes
data-user-id
JS Globals
acui_js_object
FAQ

Frequently Asked Questions about Import and export users and customers