WP-Safety

One Click Demo Import Security & Risk Analysis

wordpress.org/plugins/one-click-demo-import

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M active installs v3.4.0 PHP 7.4+ WP 5.5+ Updated Sep 11, 2025
contentimportsettingstheme-optionswidgets
97
A · Safe
CVEs total2
Unpatched0
Last CVEMay 7, 2024
Plugin page Download
Safety Verdict

Is One Click Demo Import Safe to Use in 2026?

Generally Safe

Score 97/100

One Click Demo Import has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: May 7, 2024Updated 6mo ago
Risk Assessment

The 'one-click-demo-import' plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query handling and output escaping, with 100% prepared statements and 99% properly escaped outputs, significant concerns arise from its attack surface and vulnerability history. The presence of 6 AJAX handlers, 4 of which lack authentication checks, presents a considerable risk. This, combined with the use of the `unserialize` function, which is inherently risky when handling untrusted data, creates potential pathways for malicious exploitation.

The plugin's vulnerability history, with 2 known high-severity CVEs, both related to Deserialization of Untrusted Data and Unrestricted Uploads, is a major red flag. The fact that these vulnerabilities were addressed relatively recently (as of 2024-05-07) suggests a pattern of introducing or failing to adequately sanitize inputs that can lead to these critical vulnerability types. Although no critical taint flows were detected in the static analysis, the historical pattern and the identified vulnerable code signals cannot be ignored.

In conclusion, the plugin has strengths in its internal code practices for SQL and output handling. However, the significant number of unprotected AJAX endpoints and the historical prevalence of high-severity deserialization and upload vulnerabilities point to a need for substantial security improvements. The lack of authentication on a substantial portion of its entry points is a critical weakness that needs immediate attention.

Key Concerns

  • 4 AJAX handlers without auth checks
  • Use of unserialize function
  • 2 high severity CVEs (Deserialization/Upload)
  • Large attack surface (6 total entry points)
Vulnerabilities
2

One Click Demo Import Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2

2 total CVEs

CVE-2024-34433high · 7.2Deserialization of Untrusted Data

One Click Demo Import <= 3.2.0 - Authenticated (Admin+) PHP Object Injection

May 7, 2024 Patched in 3.2.1 (9d)
CVE-2022-1008high · 7.2Unrestricted Upload of File with Dangerous Type

Catch Themes Demo Import <= 3.0.2 - Authenticated (Admin+) Arbitrary File Upload

Apr 11, 2022 Patched in 3.1.0 (652d)
Code Analysis
Analyzed Mar 16, 2026

One Click Demo Import Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
1
193 escaped
Nonce Checks
3
Capability Checks
4
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize( $raw , array( 'allowed_classes' => false ) );inc\CustomizerImporter.php:87

Output Escaping

99% escaped194 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<import> (views\import.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

One Click Demo Import Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 6

authwp_ajax_ocdi_import_created_contentinc\CreateDemoContent\DemoContentCreator.php:33
authwp_ajax_ocdi_upload_manual_import_filesinc\OneClickDemoImport.php:123
authwp_ajax_ocdi_import_demo_datainc\OneClickDemoImport.php:124
authwp_ajax_ocdi_import_customizer_datainc\OneClickDemoImport.php:125
authwp_ajax_ocdi_after_import_datainc\OneClickDemoImport.php:126
authwp_ajax_ocdi_install_plugininc\PluginInstaller.php:28
WordPress Hooks 33
actionocdi/demo_content_creator_after_importinc\CreateDemoContent\DemoContentCreator.php:31
filterwxr_importer.pre_process.postinc\CreateDemoContent\DemoContentCreator.php:258
filterwxr_importer.pre_process.userinc\CreateDemoContent\DemoContentCreator.php:272
filterupload_mimesinc\Helpers.php:452
actionocdi/before_content_import_executioninc\ImportActions.php:17
actionocdi/after_content_import_executioninc\ImportActions.php:20
actionocdi/after_content_import_executioninc\ImportActions.php:21
actionocdi/after_content_import_executioninc\ImportActions.php:22
actionocdi/after_content_import_executioninc\ImportActions.php:23
actionocdi/customizer_import_executioninc\ImportActions.php:26
actionocdi/after_all_import_executioninc\ImportActions.php:29
actionocdi/widget_settings_arrayinc\ImportActions.php:33
filterwxr_importer.pre_process.userinc\Importer.php:126
filterwxr_importer.pre_process.postinc\Importer.php:129
filterintermediate_image_sizes_advancedinc\Importer.php:133
actionadmin_menuinc\OneClickDemoImport.php:121
actionadmin_enqueue_scriptsinc\OneClickDemoImport.php:122
actionafter_setup_themeinc\OneClickDemoImport.php:127
actionuser_admin_noticesinc\OneClickDemoImport.php:128
actionadmin_noticesinc\OneClickDemoImport.php:129
actionall_admin_noticesinc\OneClickDemoImport.php:130
actionadmin_initinc\OneClickDemoImport.php:131
actionset_object_termsinc\OneClickDemoImport.php:132
filterwxr_importer.pre_process.postinc\OneClickDemoImport.php:133
actionwxr_importer.process_failed.postinc\OneClickDemoImport.php:134
actionwp_import_insert_postinc\OneClickDemoImport.php:135
actionocdi/after_importinc\OneClickDemoImport.php:136
actionocdi/plugin_intaller_before_plugin_activationinc\PluginInstaller.php:25
actionocdi/plugin_intaller_after_plugin_activationinc\PluginInstaller.php:26
filterocdi/time_for_one_ajax_callinc\WPCLICommands.php:190
filterwxr_importer.pre_process.terminc\WXRImporter.php:28
actionadmin_noticesone-click-demo-import.php:34
actionadmin_initone-click-demo-import.php:89
Maintenance & Trust

One Click Demo Import Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 11, 2025
PHP min version7.4
Downloads19.9M

Community Trust

Rating86/100
Number of ratings79
Active installs1.0M
Alternatives

One Click Demo Import Alternatives

Catch Themes Demo Import

Catch Themes Demo Import

catch-themes-demo-import

A
98

Catch Themes Demo Import is a simple and easy-to-use demo importer WordPress plugin that allows you to import the theme demo data Based on One Click D &hellip;

6K 2 CVEs
Rara One Click Demo Import

Rara One Click Demo Import

rara-one-click-demo-import

A
91

Make your website look like the live demo of the theme with a click!

20K 1 CVE
AF Companion – Build Stylish WordPress Websites in Minutes – No Coding, Just Click and Go! Starter Sites Importer for WordPress

AF Companion – Build Stylish WordPress Websites in Minutes – No Coding, Just Click and Go! Starter Sites Importer for WordPress

af-companion

A
100

Quickly import live demo content, widgets and settings with one click

10K 1 CVE
SKT Themes Demo Import

SKT Themes Demo Import

skt-themes-demo-importer

A
100

Live demo content can be imported quickly in just one click including all widgets and settings.

5K No CVEs
Theme Demo Import

Theme Demo Import

theme-demo-import

D
49

Quickly import demo content, widgets and settings in one click. Made for theme authors to simplify importing demo content for their users.

5K 2 unpatched
Developer Profile

One Click Demo Import Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect One Click Demo Import

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/one-click-demo-import/assets/css/ocdi-admin.css/wp-content/plugins/one-click-demo-import/assets/css/ocdi-frontend.css/wp-content/plugins/one-click-demo-import/assets/js/ocdi-frontend.js/wp-content/plugins/one-click-demo-import/assets/js/ocdi-plugin-installer.js/wp-content/plugins/one-click-demo-import/assets/js/ocdi-main.js
Script Paths
/wp-content/plugins/one-click-demo-import/vendor/js/jquery/jquery.min.js
Version Parameters
one-click-demo-import/assets/css/ocdi-admin.css?ver=one-click-demo-import/assets/css/ocdi-frontend.css?ver=one-click-demo-import/assets/js/ocdi-frontend.js?ver=one-click-demo-import/assets/js/ocdi-plugin-installer.js?ver=one-click-demo-import/assets/js/ocdi-main.js?ver=

HTML / DOM Fingerprints

CSS Classes
ocdi-content-wrapperocdi-backend-noticeocdi-pre-import-noticeocdi-notice-iconocdi-notice-messageocdi-manage-notice-messageocdi-admin-noticeocdi-plugin-page-header+75 more
HTML Comments
<!-- The One Click Demo Import plugin requires PHP 7.4+ to run properly. Please contact your hosting company and ask them to update the PHP version of your site to at least PHP 7.4 --><!-- Main plugin class with initialization tasks. --><!-- Constructor for this class. --><!-- Display admin error message if PHP version is older than 7.4. -->+48 more
Data Attributes
data-iddata-parentdata-slugdata-titledata-requireddata-installed+15 more
JS Globals
ocdiocdi_plugin_installerocdi_wxr_import_stringsocdi_importerocdi_ajax_urlocdi_nonce+1 more
REST Endpoints
/wp-json/ocdi/v1/import-files/wp-json/ocdi/v1/import-demo/wp-json/ocdi/v1/import-customizer/wp-json/ocdi/v1/after-import
FAQ

Frequently Asked Questions about One Click Demo Import