WP-Safety

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Security & Risk Analysis

wordpress.org/plugins/wp-all-export

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord …

100K active installs v1.4.15 PHP 7.4+ WP 5.0+ Updated Feb 7, 2026
exportexport-woocommercemigratewordpress-csv-exportwordpress-xml-export
84
B · Generally Safe
CVEs total7
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Safe to Use in 2026?

Mostly Safe

Score 84/100

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel is generally safe to use. 7 past CVEs were resolved.

7 known CVEsLast CVE: Feb 17, 2026Updated 3mo ago
Risk Assessment

The plugin 'wp-all-export' v1.4.15 exhibits a mixed security posture. While it demonstrates strong adherence to good practices such as implementing nonce checks, capability checks, and utilizing prepared statements for a majority of its SQL queries, there are significant areas of concern. The presence of the `unserialize` function, even if not directly exploitable in this version's static analysis, remains a historical risk factor. Taint analysis revealed flows with unsanitized paths, indicating potential for data manipulation or unauthorized access, although no critical or high-severity issues were found in this specific analysis.

The plugin's vulnerability history is a major red flag. With a total of 7 known CVEs, including a past critical vulnerability and multiple high-severity ones, the plugin has a track record of security flaws. The common vulnerability types point to systemic issues such as code injection, SQL injection, and cross-site scripting, suggesting potential weaknesses in input validation and output sanitization that may not be fully mitigated in this version. The most recent vulnerability being in 2026 indicates a potential for ongoing, undiscovered vulnerabilities.

In conclusion, while 'wp-all-export' v1.4.15 shows improvements in certain security areas, its historical vulnerability record and the presence of potentially dangerous functions and unsanitized paths necessitate a cautious approach. Users should be aware of the past security incidents and the inherent risks associated with plugins that have a history of significant vulnerabilities.

Key Concerns

  • Dangerous function: unserialize present
  • Taint flows with unsanitized paths
  • High number of total known CVEs
  • Past critical CVE
  • Past high severity CVEs (2)
  • Bundled outdated library: Select2 v3.4.5
Vulnerabilities
7 published

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2022
2022
3 CVEs in 2023
2023
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
3
Low
1

7 total CVEs

CVE-2026-1582low · 3.7Exposure of Sensitive Information to an Unauthorized Actor

WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling

Feb 17, 2026 Patched in 1.4.15 (2d)
CVE-2023-4724medium · 6.4Improper Control of Generation of Code ('Code Injection')

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Authenticated (Admin+) Remote Code Execution

Nov 24, 2023 Patched in 1.4.1 (60d)
CVE-2023-5882high · 8.8Cross-Site Request Forgery (CSRF)

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Cross-Site Request Forgery to Remote Code Execution

Nov 24, 2023 Patched in 1.4.1 (60d)
CVE-2023-5886high · 8.8Cross-Site Request Forgery (CSRF)

Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Cross-Site Request Forgery to PHAR Deserialization

Nov 24, 2023 Patched in 1.4.1 (60d)
WF-658ccd08-5f46-4a11-8d86-38b49027f83e-wp-all-exportmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Export any WordPress data to XML/CSV <= 1.3.5 - Reflected Cross-Site Scripting

Jun 7, 2022 Patched in 1.3.6 (595d)
CVE-2022-1800critical · 9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Export any WordPress data to XML/CSV <= 1.3.4 - Authenticated SQL Injection

May 20, 2022 Patched in 1.3.5 (613d)
CVE-2021-24708medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP All Export <= 1.3.0 - Admin+ Stored Cross-Site Scripting

Oct 6, 2021 Patched in 1.3.1 (839d)
Version History

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Release Timeline

v1.4.15Current
v1.4.141 CVE
CVE-2026-1582
v1.4.131 CVE
CVE-2026-1582
v1.4.121 CVE
CVE-2026-1582
v1.4.111 CVE
CVE-2026-1582
v1.4.101 CVE
CVE-2026-1582
v1.4.91 CVE
CVE-2026-1582
v1.4.81 CVE
CVE-2026-1582
v1.4.71 CVE
CVE-2026-1582
v1.4.61 CVE
CVE-2026-1582
v1.4.51 CVE
CVE-2026-1582
v1.4.41 CVE
CVE-2026-1582
v1.4.31 CVE
CVE-2026-1582
v1.4.21 CVE
CVE-2026-1582
v1.4.11 CVE
CVE-2026-1582
v1.4.04 CVEs
CVE-2023-4724 CVE-2026-1582 CVE-2023-5882 +1 more
v1.3.94 CVEs
CVE-2023-4724 CVE-2026-1582 CVE-2023-5882 +1 more
v1.3.84 CVEs
CVE-2023-4724 CVE-2026-1582 CVE-2023-5882 +1 more
v1.3.74 CVEs
CVE-2023-4724 CVE-2026-1582 CVE-2023-5882 +1 more
v1.3.64 CVEs
CVE-2023-4724 CVE-2026-1582 CVE-2023-5882 +1 more
Code Analysis
Analyzed Mar 16, 2026

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Code Analysis

Dangerous Functions
7
Raw SQL Queries
18
54 prepared
Unescaped Output
71
537 escaped
Nonce Checks
31
Capability Checks
26
File Operations
54
External Requests
13
Bundled Libraries
2

Dangerous Functions Found

unserialize$field_options = unserialize($options['cc_options'][$ID]);classes\wpallimport.php:544
unserialize$templateOptions = empty($templates_data[0]['options']) ? false : unserialize($templates_data[0]['opcontrollers\admin\settings.php:99
unserialize$field_options = unserialize($exportOptions['cc_options'][$ID]);helpers\wp_all_export_prepare_template_csv.php:262
unserialize$field_options = unserialize($exportOptions['cc_options'][$ID]);helpers\wp_all_export_prepare_template_xml.php:258
unserialize$result[$i][$k] = unserialize($v);models\model\list.php:87
unserialize$result[$k] = unserialize($v);models\model\record.php:33
unserialize$exportData = unserialize($sessionData['google_merchants_post_data']);src\App\Controller\ExportController.php:37

Bundled Libraries

jQuerySelect23.4.5

SQL Query Safety

75% prepared72 total queries

Output Escaping

88% escaped608 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

11 flows3 with unsanitized paths
pmxe_wp_loaded (actions\wp_loaded.php:3)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpae_apiwpae_api.php:33
WordPress Hooks 61
actionpre_user_queryactions\wp_ajax_wpae_filtering_count.php:99
actioncomments_clausesactions\wp_ajax_wpae_filtering_count.php:113
filterposts_whereactions\wp_ajax_wpae_filtering_count.php:134
filterposts_joinactions\wp_ajax_wpae_filtering_count.php:135
actionpre_user_queryactions\wp_ajax_wpae_filtering_count.php:167
actioncomments_clausesactions\wp_ajax_wpae_filtering_count.php:187
filterterms_clausesactions\wp_ajax_wpae_filtering_count.php:212
filterposts_whereactions\wp_ajax_wpae_filtering_count.php:270
filterposts_whereactions\wp_ajax_wpae_filtering_count.php:271
filterposts_joinactions\wp_ajax_wpae_filtering_count.php:273
filterposts_whereactions\wp_ajax_wpae_filtering_count.php:278
filterposts_whereactions\wp_ajax_wpae_filtering_count.php:304
actionpre_user_queryactions\wp_ajax_wpae_preview.php:154
filterterms_clausesactions\wp_ajax_wpae_preview.php:160
actioncomments_clausesactions\wp_ajax_wpae_preview.php:166
filterposts_joinactions\wp_ajax_wpae_preview.php:201
filterposts_whereactions\wp_ajax_wpae_preview.php:202
actionpre_user_queryactions\wp_ajax_wpallexport.php:71
actioncomments_clausesactions\wp_ajax_wpallexport.php:75
filterposts_joinactions\wp_ajax_wpallexport.php:83
filterposts_whereactions\wp_ajax_wpallexport.php:84
actionpre_user_queryactions\wp_ajax_wpallexport.php:95
filterterms_clausesactions\wp_ajax_wpallexport.php:99
actioncomments_clausesactions\wp_ajax_wpallexport.php:104
filterposts_whereactions\wp_ajax_wpallexport.php:132
filterposts_joinactions\wp_ajax_wpallexport.php:154
filterposts_whereactions\wp_ajax_wpallexport.php:155
actioncomments_clausesactions\wp_ajax_wpallexport.php:172
actioncomments_clausesactions\wp_ajax_wpallexport.php:178
filterterms_clausesactions\wp_ajax_wpallexport.php:183
filterposts_whereactions\wp_ajax_wpallexport.php:188
actionwp_enqueue_scriptsclasses\partner-discount-sdk\partner-discount-sdk.php:167
actionadmin_enqueue_scriptsclasses\partner-discount-sdk\partner-discount-sdk.php:168
actionadmin_enqueue_scriptscontrollers\controller\admin.php:81
actionpre_user_querymodels\export\record.php:77
actioncomments_clausesmodels\export\record.php:83
filterposts_wheremodels\export\record.php:93
filterposts_joinmodels\export\record.php:94
actionpre_user_querymodels\export\record.php:113
actioncomments_clausesmodels\export\record.php:119
filterterms_clausesmodels\export\record.php:134
filterposts_wheremodels\export\record.php:140
filterposts_wheremodels\export\record.php:163
filterposts_joinmodels\export\record.php:164
actioncomments_clausesmodels\export\record.php:282
filterposts_wheremodels\export\record.php:288
actioncomments_clausesmodels\export\record.php:306
filterterms_clausesmodels\export\record.php:312
filterwp_mail_content_typemodels\export\record.php:400
filterwp_all_export_single_filter_rulesrc\Pro\Filtering\FilteringBase.php:61
actionadmin_noticessrc\WordPress\AdminDismissibleNotice.php:30
actionadmin_noticessrc\WordPress\AdminNotice.php:26
actionadmin_noticessrc\WordPress\SitewideAdminDismissibleNotice.php:63
actionadmin_noticeswp-all-export.php:51
actionadmin_enqueue_scriptswp-all-export.php:226
actionadmin_initwp-all-export.php:248
actionadmin_initwp-all-export.php:249
actioninitwp-all-export.php:250
filtercurrent_screenwp-all-export.php:454
filteradmin_body_classwp-all-export.php:455
actionadmin_noticeswp-all-export.php:468
Maintenance & Trust

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 7, 2026
PHP min version7.4
Downloads3.1M

Community Trust

Rating90/100
Number of ratings414
Active installs100K
Alternatives

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Alternatives

Export All Posts, Products, Orders, Refunds & Users

Export All Posts, Products, Orders, Refunds & Users

wp-ultimate-exporter

B
77

Export any WordPress website including WooCommerce data seamlessly with our powerful export plugin. Save records as CSV, XML, or Excel file for secure &hellip;

9K 9 CVEs
Mailer Panel – Email Marketing for WooCommerce

Mailer Panel – Email Marketing for WooCommerce

mailer-panel-email-marketing-for-woocommerce

A
92

Send mailings with Mailer Panel. Export WooCommerce data and run outreach and promotional campaigns with pre-made templates in Mailer Panel.

0 No CVEs
All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
WP Migrate Lite – Migration Made Easy

WP Migrate Lite – Migration Made Easy

wp-migrate-db

A
99

Migrate your database. Export full sites including media, themes, and plugins. Find and replace content with support for serialized data.

200K 1 CVE
Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
Developer Profile

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel Developer Profile

Soflyy

4 plugins · 124K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
285 days
View full developer profile
Detection Fingerprints

How We Detect WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel