WP-Safety

Import WP – Export and Import CSV and XML files to WordPress Security & Risk Analysis

wordpress.org/plugins/jc-importer

Import WP, a simple, fast and powerful XML and CSV import solution, Making it easy to import posts, pages, categories, tags, users and attachments.

5K active installs v2.14.21 PHP 5.6+ WP 4.0+ Updated Jan 27, 2026
csvdatafeedwordpress-csv-importwordpress-xml-importxml
90
A · Safe
CVEs total5
Unpatched0
Last CVENov 20, 2025
Plugin page Download
Safety Verdict

Is Import WP – Export and Import CSV and XML files to WordPress Safe to Use in 2026?

Generally Safe

Score 90/100

Import WP – Export and Import CSV and XML files to WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 20, 2025Updated 2mo ago
Risk Assessment

The "jc-importer" v2.14.21 plugin exhibits a mixed security posture. While the static analysis indicates a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication, this is undermined by several concerning code signals. The significant presence of the `unserialize` function (15 instances) is a major red flag, as it can lead to Remote Code Execution if not handled with extreme care and proper input validation, especially when dealing with user-supplied data.

Taint analysis reveals that 4 out of 5 flows have unsanitized paths, though fortunately, no critical or high severity issues were identified in this analysis. This suggests a potential for path traversal vulnerabilities or other file-related exploits if user input is not meticulously sanitized before being used in file operations. The plugin also performs a substantial number of file operations (57) and external HTTP requests (3), increasing the potential for misconfigurations or vulnerabilities to be exploited in conjunction with unsanitized paths.

The vulnerability history is a significant concern, with 5 known CVEs, including 2 high severity ones. The common types of past vulnerabilities (Files or Directories Accessible to External Parties, External Control of File Name or Path, Exposure of Sensitive Information, SSRF, Unrestricted Upload) strongly suggest recurring weaknesses in how the plugin handles external inputs and file operations. The fact that there are currently no unpatched CVEs is positive, but the historical pattern is indicative of a plugin that has struggled with robust security in these areas. In conclusion, while the current version boasts a limited attack surface and good output escaping, the historical vulnerability patterns and the use of `unserialize` coupled with unsanitized paths present notable risks that require careful management and vigilance.

Key Concerns

  • High count of dangerous function (unserialize)
  • Flows with unsanitized paths detected
  • History of 5 known CVEs
  • History of 2 high severity CVEs
  • History of 3 medium severity CVEs
  • Significant number of file operations
  • External HTTP requests present
Vulnerabilities
5

Import WP – Export and Import CSV and XML files to WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2025-12894medium · 5.3Files or Directories Accessible to External Parties

Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Information Exposure

Nov 20, 2025 Patched in 2.14.18 (1d)
CVE-2025-12137medium · 4.9External Control of File Name or Path

Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read

Oct 31, 2025 Patched in 2.14.17 (1d)
CVE-2024-13562high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Import WP – Export and Import CSV and XML files to WordPress <= 2.14.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Jan 24, 2025 Patched in 2.14.6 (1d)
CVE-2023-7253medium · 5.5Server-Side Request Forgery (SSRF)

Import WP – Export and Import CSV and XML files to WordPress <= 2.13.0 - Authenticated (Admin+) Server-Side Request Forgery

Apr 3, 2024 Patched in 2.13.1 (29d)
CVE-2022-1273high · 7.2Unrestricted Upload of File with Dangerous Type

Import WP – Import and Export WordPress data to XML or CSV files <= 2.4.5 - Authenticated Arbitrary File Upload

Apr 11, 2022 Patched in 2.4.6 (652d)
Code Analysis
Analyzed Mar 16, 2026

Import WP – Export and Import CSV and XML files to WordPress Code Analysis

Dangerous Functions
15
Raw SQL Queries
21
33 prepared
Unescaped Output
9
160 escaped
Nonce Checks
1
Capability Checks
1
File Operations
57
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserializereturn unserialize($result['data']);class\Common\Exporter\State\ExporterState.php:188
unserialize$value = unserialize($value);class\Common\Importer\Mapper\CommentMapper.php:292
unserialize$value = unserialize($value);class\Common\Importer\Mapper\CommentMapper.php:310
unserialize$value = unserialize($value);class\Common\Importer\Mapper\PostMapper.php:427
unserialize$value = unserialize($value);class\Common\Importer\Mapper\PostMapper.php:445
unserialize$value = unserialize($value);class\Common\Importer\Mapper\TermMapper.php:305
unserialize$value = unserialize($value);class\Common\Importer\Mapper\TermMapper.php:320
unserialize$value = unserialize($value);class\Common\Importer\Mapper\UserMapper.php:360
unserialize$value = unserialize($value);class\Common\Importer\Mapper\UserMapper.php:370
unserializereturn unserialize($result['data']);class\Common\Importer\State\ImporterState.php:194
unserialize$data = unserialize($importer['post_content']);class\Common\Migration\Migrations.php:691
unserialize$data = unserialize($importer['post_content']);class\Common\Migration\Migrations.php:732
unserialize$data = unserialize($result['post_content']);class\Common\Rest\RestManager.php:1528
unserialize'data' => unserialize($result['post_content']),class\Common\Rest\RestManager.php:1585
unserializereturn unserialize($result['data']);class\Common\Runner\RunnerState.php:318

SQL Query Safety

61% prepared54 total queries

Output Escaping

95% escaped169 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
download_file (class\Common\Exporter\ExporterManager.php:36)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Import WP – Export and Import CSV and XML files to WordPress Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 53
actioniwp/register_eventsclass\Common\Addon\AddonBase.php:72
actioniwp/importer/shutdownclass\Common\Addon\AddonBase.php:88
filteriwp/template/permission_fieldsclass\Common\Addon\AddonBase.php:148
actioninitclass\Common\Addon\AddonBase.php:483
filteriwp/custom_field_keyclass\Common\Addon\AddonCustomFieldsApi.php:33
actioniwp/register_eventsclass\Common\AddonAPI\ImporterAddon.php:46
filteriwp/template/permission_fieldsclass\Common\AddonAPI\ImporterAddon.php:142
filteriwp/custom_field_keyclass\Common\AddonAPI\ImporterAddon.php:173
filteriwp/importer/skip_recordclass\Common\AddonAPI\ImporterAddon.php:205
actioniwp/importer/initclass\Common\AddonAPI\ImporterAddon.php:214
actioniwp/importer/before_rowclass\Common\AddonAPI\ImporterAddon.php:231
actioniwp/importer/after_rowclass\Common\AddonAPI\ImporterAddon.php:242
filteriwp/custom_fields/log_messageclass\Common\AddonAPI\ImporterAddon.php:257
actionadmin_initclass\Common\Compatibility\CompatibilityManager.php:26
actioniwp/compat/register_muplugin_uninstallclass\Common\Compatibility\CompatibilityManager.php:28
actionadmin_initclass\Common\Exporter\ExporterManager.php:28
filteriwp/exporter_record/commentclass\Common\Exporter\Mapper\CommentMapper.php:21
filteriwp/exporter_record/postclass\Common\Exporter\Mapper\PostMapper.php:21
filteriwp/exporter_record/taxclass\Common\Exporter\Mapper\TaxMapper.php:31
filteriwp/exporter_record/userclass\Common\Exporter\Mapper\UserMapper.php:17
filteriwp/importer/file_uploaded/file_pathclass\Common\Filesystem\ZipArchive.php:10
filterrocket_is_importingclass\Common\Importer\Importer.php:261
filterupload_dirclass\Common\Importer\ImporterManager.php:276
filterwp_handle_upload_prefilterclass\Common\Importer\ImporterManager.php:322
filterupload_dirclass\Common\Importer\ImporterManager.php:678
filteriwp/importer/mapper/hash_check_enabledclass\Common\Importer\ImporterManager.php:764
filteriwp/importer/generate_field_map/custom_fieldsclass\Common\Importer\Template\AttachmentTemplate.php:188
filteriwp/importer/before_mapperclass\Common\Importer\Template\Template.php:163
filteriwp/status/record_insertedclass\Common\Importer\Template\Template.php:164
filteriwp/status/record_updatedclass\Common\Importer\Template\Template.php:165
filtersend_password_change_emailclass\Common\Importer\Template\UserTemplate.php:167
filtersend_email_change_emailclass\Common\Importer\Template\UserTemplate.php:172
filtercontent_save_preclass\Common\Migration\Migrations.php:714
filtercontent_save_preclass\Common\Migration\Migrations.php:886
filtercontent_save_preclass\Common\Migration\Migrations.php:943
filtercontent_save_preclass\Common\Model\ExporterModel.php:176
filtercontent_save_preclass\Common\Model\ImporterModel.php:327
actionadmin_menuclass\Common\Plugin\Menu.php:41
actiontool_boxclass\Common\Plugin\Menu.php:42
filterupdate_footerclass\Common\Plugin\Menu.php:44
filteradmin_footer_textclass\Common\Plugin\Menu.php:45
actionrest_api_initclass\Common\Rest\RestManager.php:75
filterupload_dirclass\Common\Rest\RestManager.php:1060
actionadmin_initclass\Common\UI\AdminNotices.php:12
actionadmin_noticesclass\Common\UI\AdminNotices.php:13
filteroption_active_pluginscompatibility\importwp-compatibility.php:28
actionadmin_noticessetup-iwp.php:44
filteriwp/frontent/noticessetup-iwp.php:88
actionplugins_loadedsetup-iwp.php:94
actionafter_plugin_row_importwp-zip-archive/zip-archive.phpsetup-iwp.php:131
actionplugins_loadedsetup-iwp.php:134
actionplugins_loadedsetup-iwp.php:146
actioninitsetup-iwp.php:169
Maintenance & Trust

Import WP – Export and Import CSV and XML files to WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version5.6
Downloads240K

Community Trust

Rating88/100
Number of ratings25
Active installs5K
Alternatives

Import WP – Export and Import CSV and XML files to WordPress Alternatives

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

wp-all-import

B
75

Easily import any file of any size into any plugin, post type, custom field, or taxonomy. Supports WooCommerce, ACF, images, galleries, users, real es &hellip;

100K 22 CVEs
WP Smart Import : Import any XML File to WordPress

WP Smart Import : Import any XML File to WordPress

wp-smart-import

A
87

The most powerful solution for importing any CSV and XML files to WordPress. Create Posts and Pages any Custom Posttype with content from any XML or C &hellip;

1K 6 CVEs
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
WP All Import – Import Add-On for ACF

WP All Import – Import Add-On for ACF

csv-xml-import-for-acf

A
100

Drag & drop to import any CSV, Excel, XML, or Google Sheets file into Advanced Custom Fields. Supports repeaters, flexible content, galleries, and &hellip;

40K No CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
Developer Profile

Import WP – Export and Import CSV and XML files to WordPress Developer Profile

jcollings

2 plugins · 9K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
137 days
View full developer profile
Detection Fingerprints

How We Detect Import WP – Export and Import CSV and XML files to WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jc-importer/dist/index.css/wp-content/plugins/jc-importer/dist/index.js
Script Paths
/wp-content/plugins/jc-importer/dist/index.js
Version Parameters
jc-importer/dist/index.css?ver=jc-importer/dist/index.js?ver=

HTML / DOM Fingerprints

CSS Classes
iwp-footer-link
JS Globals
iwp
REST Endpoints
/wp-json/jc-importer/
FAQ

Frequently Asked Questions about Import WP – Export and Import CSV and XML files to WordPress