Does URL Image Importer have any unpatched vulnerabilities?

No. All known vulnerabilities in URL Image Importer have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is URL Image Importer compatible with WordPress 6.7.5?

According to WordPress.org data, URL Image Importer 1.0.8 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is URL Image Importer compatible with PHP 7.4+?

URL Image Importer requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is URL Image Importer updated?

URL Image Importer was last updated on Dec 29, 2025. Frequent updates are generally a positive security signal.

What is URL Image Importer's security score?

URL Image Importer has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

URL Image Importer Security & Risk Analysis

wordpress.org/plugins/url-image-importer

Import images from URLs, CSV files, or WordPress XML exports directly into your WordPress Media Library to use across your entire site!

500 active installs v1.0.8 PHP 7.4+ WP 5.3+ Updated Dec 29, 2025

csv-importimage-importimport-imageimport-image-to-media-librarymedia-library

A · Safe

CVEs total2

Unpatched0

Last CVEJan 5, 2026

Download

Safety Verdict

Is URL Image Importer Safe to Use in 2026?

Generally Safe

Score 96/100

URL Image Importer has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 5, 2026Updated 3mo ago

Risk Assessment

The url-image-importer plugin v1.0.8 exhibits a mixed security posture. On the positive side, it demonstrates good practices such as a high percentage of prepared SQL statements and properly escaped outputs, along with a robust number of nonce and capability checks. The absence of dangerous functions and critical/high severity taint flows is also encouraging. However, there are notable areas of concern. The presence of one AJAX handler without any authentication checks creates a significant attack vector that could be exploited by unauthenticated users.

The vulnerability history reveals a pattern of past security issues, including high and medium severity vulnerabilities like Cross-site Scripting and Unrestricted File Uploads. While there are currently no unpatched CVEs, the historical prevalence of these types of vulnerabilities, especially those related to input sanitization and file handling, suggests potential weaknesses in how user-supplied data is processed. The taint analysis, while not reporting critical issues, did find flows with unsanitized paths, which can be a precursor to security problems if not addressed.

In conclusion, while the plugin has several strengths in its current implementation, the combination of an unprotected AJAX endpoint and a history of serious vulnerabilities warrants caution. The potential for unauthenticated actions and the recurring types of past exploits indicate that careful monitoring and potentially further code review are advisable to ensure ongoing security.

Key Concerns

Unprotected AJAX handler
History of High severity CVEs
History of Medium severity CVEs
Taint flows with unsanitized paths

Vulnerabilities

URL Image Importer Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-14120medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Jan 5, 2026 Patched in 1.0.8 (1d)

CVE-2025-12138high · 8.8Unrestricted Upload of File with Dangerous Type

URL Image Importer <= 1.0.6 - Authenticated (Author+) Arbitrary File Upload

Nov 20, 2025 Patched in 1.0.7 (1d)

Code Analysis

Analyzed Mar 16, 2026

URL Image Importer Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

125 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

83% prepared12 total queries

Output Escaping

87% escaped144 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

uimptr_handle_xml_import (url-image-importer.php:338)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

URL Image Importer Attack Surface

Entry Points14

Unprotected1

AJAX Handlers 14

authwp_ajax_bfu_chunkerclasses\tuxedo_big_file_uploads.php:81

authwp_ajax_bfu_file_scanclasses\tuxedo_big_file_uploads.php:94

authwp_ajax_bfu_upload_dismissclasses\tuxedo_big_file_uploads.php:95

authwp_ajax_bfu_upgrade_dismissclasses\tuxedo_big_file_uploads.php:96

authwp_ajax_bfu_subscribe_dismissclasses\tuxedo_big_file_uploads.php:97

authwp_ajax_uimptr_handle_promo_actionsrc\Admin\PromoNotices.php:43

authwp_ajax_uimptr_bfu_file_scanurl-image-importer.php:1933

authwp_ajax_uimptr_import_single_urlurl-image-importer.php:1970

authwp_ajax_uimptr_process_xml_importurl-image-importer.php:2055

authwp_ajax_uimptr_test_connectionurl-image-importer.php:2066

authwp_ajax_uimptr_process_csv_importurl-image-importer.php:2142

authwp_ajax_uimptr_batch_importurl-image-importer.php:2304

authwp_ajax_uimptr_cancel_importurl-image-importer.php:2332

authwp_ajax_uimptr_subscribe_dismissurl-image-importer.php:2826

WordPress Hooks 22

actionplugins_loadedclasses\tuxedo_big_file_uploads.php:73

actionadmin_noticesclasses\tuxedo_big_file_uploads.php:74

filterplupload_initclasses\tuxedo_big_file_uploads.php:75

filterupload_post_paramsclasses\tuxedo_big_file_uploads.php:76

filterplupload_default_settingsclasses\tuxedo_big_file_uploads.php:77

filterplupload_default_paramsclasses\tuxedo_big_file_uploads.php:78

filterupload_size_limitclasses\tuxedo_big_file_uploads.php:79

actionpost-upload-uiclasses\tuxedo_big_file_uploads.php:82

actionenqueue_block_editor_assetsclasses\tuxedo_big_file_uploads.php:83

filterblock_editor_settings_allclasses\tuxedo_big_file_uploads.php:84

filterplugin_action_links_tuxedo-big-file-uploads/tuxedo_big_file_uploads.phpclasses\tuxedo_big_file_uploads.php:88

filternetwork_admin_plugin_action_links_tuxedo-big-file-uploads/tuxedo_big_file_uploads.phpclasses\tuxedo_big_file_uploads.php:91

actionnetwork_admin_noticesclasses\tuxedo_big_file_uploads.php:101

actionadmin_noticesclasses\tuxedo_big_file_uploads.php:103

actionadmin_noticessrc\Admin\PromoNotices.php:42

actionadmin_noticesurl-image-importer.php:105

filterupload_mimesurl-image-importer.php:149

filterwp_check_filetype_and_exturl-image-importer.php:159

actionadmin_menuurl-image-importer.php:268

actionadmin_enqueue_scriptsurl-image-importer.php:333

filterinfinite_uploads_exclude_fileurl-image-importer.php:2770

actionuimptr_cleanup_temp_filesurl-image-importer.php:2774

Scheduled Events 1

uimptr_cleanup_temp_files

Maintenance & Trust

URL Image Importer Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 29, 2025

PHP min version7.4

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs500

Alternatives

URL Image Importer Alternatives

Smart Auto Upload Images – Import External Images

smart-auto-upload-images

Import external images automatically on save. Adds to media library and updates URLs. No manual downloads. Works with any post type.

2K 1 CVE

WP Image Importer

wp-image-importer

WP Image Importer plugin allows you to easily insert image into your wordpress post from facebook, flickr and pixabay

30 No CVEs

Sage Auto Upload Images

sage-auto-upload-images

100

Automatically detect and import external images to your WordPress media library. Bulk process existing posts and prevent broken links.

10 No CVEs

Easy Alt Import Lite

easy-alt-import-lite

100

Bulk edit image ALT texts from a CSV with preview, selective apply, and one-click undo — improve SEO, image accessibility, and WooCommerce product vis …

0 No CVEs

Michael Cloud Image Auto Importer

michael-cloud-image-auto-importer

100

Import images from Google Drive directly into the WordPress Media Library with automatic alt text generation.

0 No CVEs

Developer Profile

URL Image Importer Developer Profile

Infinite Uploads

6 plugins · 101K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

18 days

View full developer profile

Detection Fingerprints

How We Detect URL Image Importer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/url-image-importer/css/url-image-importer.css/wp-content/plugins/url-image-importer/js/url-image-importer.js

Script Paths

/wp-content/plugins/url-image-importer/js/url-image-importer.js

Version Parameters

url-image-importer/css/url-image-importer.css?ver=url-image-importer/js/url-image-importer.js?ver=

HTML / DOM Fingerprints

CSS Classes

url-image-importer-wrap

Data Attributes

data-id="url-image-importer-admin-page"

JS Globals

urlImageImporter

FAQ