WP-Safety

Import XML and RSS Feeds Security & Risk Analysis

wordpress.org/plugins/import-xml-feed

Import content from any XML or RSS file or URL. Very useful for importing content from Wix websites.

2K active installs v2.1.6 PHP 5.6+ WP 4.5+ Updated Apr 9, 2026
feedimportjsonrssxml
95
A · Safe
CVEs total4
Unpatched0
Last CVEApr 5, 2024
Plugin page Download
Safety Verdict

Is Import XML and RSS Feeds Safe to Use in 2026?

Generally Safe

Score 95/100

Import XML and RSS Feeds has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Apr 5, 2024Updated 1mo ago
Risk Assessment

The import-xml-feed plugin, version 2.1.6, presents a mixed security posture. On the positive side, it has a relatively small attack surface, with all identified entry points (AJAX handlers) protected by nonce and capability checks. All SQL queries utilize prepared statements, which is a strong defense against SQL injection. However, significant concerns arise from its historical vulnerability record. The plugin has a history of 4 known CVEs, with 3 critical and 1 high severity, including categories like Unrestricted Upload, Code Injection, and SSRF. This pattern of critical vulnerabilities, especially those related to code execution and server-side requests, suggests recurring and severe security flaws in the plugin's development. Furthermore, the static analysis reveals a concerning 75% of output escaping is not properly handled, leaving potential for Cross-Site Scripting (XSS) vulnerabilities if certain outputs are not adequately sanitized by WordPress itself. The presence of the `unserialize` function, while protected by nonce and capability checks for its AJAX handlers, still represents a potential risk if not used with extreme caution and only on trusted, sanitized input, given its known ability to lead to object injection vulnerabilities.

Key Concerns

  • Multiple critical and high severity CVEs
  • Significant portion of outputs not properly escaped
  • Use of unserialize function
  • Flows with unsanitized paths found
Vulnerabilities
4 published

Import XML and RSS Feeds Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
3
High
1

4 total CVEs

CVE-2024-31292critical · 9.1Unrestricted Upload of File with Dangerous Type

Import XML and RSS Feeds <= 2.1.5 - Authenticated (Administrator+) Arbitrary File Upload

Apr 5, 2024 Patched in 2.1.6 (6d)
CVE-2023-4521critical · 9.8Improper Control of Generation of Code ('Code Injection')

Import XML and RSS Feeds <= 2.1.4 - Unauthenticated Remote Code Execution

Aug 28, 2023 Patched in 2.1.5 (148d)
CVE-2023-4300high · 7.2Unrestricted Upload of File with Dangerous Type

Import XML and RSS Feeds <= 2.1.3 - Authenticated (Admin+) Arbitrary File Upload

Aug 28, 2023 Patched in 2.1.4 (148d)
CVE-2020-24148critical · 9.1Server-Side Request Forgery (SSRF)

Import XML and RSS Feeds <= 2.0.2 - Server-Side Request Forgery

Apr 13, 2021 Patched in 2.0.3 (1015d)
Version History

Import XML and RSS Feeds Release Timeline

v2.1.6Current
v2.1.51 CVE
CVE-2024-31292
v2.1.42 CVEs
CVE-2023-4521 CVE-2024-31292
v2.1.33 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.1.23 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.1.13 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.1.03 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.0.53 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.0.43 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.0.33 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2023-4300
v2.0.24 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v2.0.14 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v2.0.04 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.3.34 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.3.24 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.3.14 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.3.04 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.2.44 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.2.34 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
v1.2.24 CVEs
CVE-2023-4521 CVE-2024-31292 CVE-2020-24148 +1 more
Code Analysis
Analyzed Mar 16, 2026

Import XML and RSS Feeds Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
2 prepared
Unescaped Output
84
28 escaped
Nonce Checks
5
Capability Checks
5
File Operations
3
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$wp_repo_response = unserialize( wp_remote_retrieve_body( $wp_response ) );controllers\moove-controller.php:136

SQL Query Safety

100% prepared2 total queries

Output Escaping

25% escaped112 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
moove_read_xml (moove-actions.php:79)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Import XML and RSS Feeds Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 5

authwp_ajax_moove_read_xmlmoove-actions.php:63
authwp_ajax_moove_create_postmoove-actions.php:65
authwp_ajax_moove_save_import_templatemoove-actions.php:67
authwp_ajax_moove_load_import_templatemoove-actions.php:69
authwp_ajax_moove_delete_import_templatemoove-actions.php:71
WordPress Hooks 14
actionmoove_importer_sanitize_xmlcontrollers\moove-controller.php:28
actionmoove_importer_check_other_taxonomiescontrollers\moove-controller.php:29
actionmoove_importer_addons_tabscontrollers\moove-controller.php:30
actionmoove_importer_check_extensionscontrollers\moove-controller.php:31
actioninitcontrollers\moove-controller.php:32
actionmoove_importer_sanitize_xmlmoove-actions.php:31
actionmoove_importer_get_attribuesmoove-actions.php:32
actionmoove_importer_check_other_taxonomiesmoove-actions.php:33
actionadmin_enqueue_scriptsmoove-actions.php:43
filterplugin_row_metamoove-importer.php:52
actionadmin_menumoove-options.php:24
actionmoove_importer_addons_tab_contentmoove-options.php:25
actionmoove_importer_buttonsmoove-options.php:26
actionplugins_loadedmoove-options.php:27
Maintenance & Trust

Import XML and RSS Feeds Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 9, 2026
PHP min version5.6
Downloads122K

Community Trust

Rating76/100
Number of ratings24
Active installs2K
Alternatives

Import XML and RSS Feeds Alternatives

RSS XML Feed Display with Images – display content from multiple RSS or XML feeds with featured images

RSS XML Feed Display with Images – display content from multiple RSS or XML feeds with featured images

rss-xml-feed-display-with-images

A
92

Easily display content from multiple RSS or XML feeds with featured images with shortcodes.

0 No CVEs
WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

wp-all-import

B
75

Easily import any file of any size into any plugin, post type, custom field, or taxonomy. Supports WooCommerce, ACF, images, galleries, users, real es &hellip;

100K 22 CVEs
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

wp-rss-aggregator

A
92

The #1 WordPress RSS aggregator to quickly import RSS feeds, build a news aggregator, and for easy autoblogging.

50K 13 CVEs
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

feedzy-rss-feeds

A
92

The most powerful WordPress RSS aggregator, helping you curate content, autoblog, import RSS & display unlimited RSS feeds within a few minutes.

40K 11 CVEs
WPeMatico RSS Feed Fetcher

WPeMatico RSS Feed Fetcher

wpematico

A
96

WPeMatico is autoblogging in the blink of an eye! On complete autopilot, WPeMatico delivers fresh content to your site regularly!

10K 6 CVEs
Developer Profile

Import XML and RSS Feeds Developer Profile

Moove Agency

6 plugins · 308K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
314 days
View full developer profile
Detection Fingerprints

How We Detect Import XML and RSS Feeds

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/import-xml-feed/assets/css/moove_importer_backend.css/wp-content/plugins/import-xml-feed/assets/js/moove_importer_backend.js
Script Paths
/wp-content/plugins/import-xml-feed/assets/js/moove_importer_backend.js
Version Parameters
moove_importer_backendmoove-feed-importerimport-xml-feed

HTML / DOM Fingerprints

CSS Classes
moove-importer-accordionmoove-importer-accordion-headermoove-importer-accordion-contentmoove-importer-dynamic-accordionmoove_cpt_taximport-xml-star-rating
HTML Comments
<!-- .moove-importer-dropdown-header --><!-- .moove-importer-dropdown-header -->
Data Attributes
data-nonce_fielddata-nonce_verify
JS Globals
moove_importer_ajax_object
REST Endpoints
/wp-json/moove-importer/v1/ajax
Shortcode Output
[moove_import_xml_feed]
FAQ

Frequently Asked Questions about Import XML and RSS Feeds