WP-Safety

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Security & Risk Analysis

wordpress.org/plugins/wp-all-import

Easily import any file of any size into any plugin, post type, custom field, or taxonomy. Supports WooCommerce, ACF, images, galleries, users, real es …

100K active installs v4.0.1 PHP 7.4+ WP 5.0+ Updated Mar 4, 2026
csvdatafeedwordpress-csv-importwordpress-xml-importxml
75
B · Generally Safe
CVEs total22
Unpatched0
Last CVEMar 5, 2026
Plugin page Download
Safety Verdict

Is WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Safe to Use in 2026?

Mostly Safe

Score 75/100

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets is generally safe to use. 22 past CVEs were resolved. Keep it updated.

22 known CVEsLast CVE: Mar 5, 2026Updated 1mo ago
Risk Assessment

The static analysis of wp-all-import v4.0.1 reveals a mixed security posture. While the plugin demonstrates strong adherence to modern WordPress security practices with a significant number of capability checks and a high percentage of properly escaped outputs, the presence of dangerous functions like `create_function` and `unserialize` in the code signals potential areas of concern. These functions, if not handled with extreme care and proper sanitization, can be vectors for code execution or deserialization vulnerabilities. The taint analysis showing flows with unsanitized paths is also a notable risk, though currently not classified as critical or high, it warrants attention as these could lead to unintended file access or manipulation. The plugin's history of 22 known CVEs, including critical and high severity vulnerabilities, despite having no currently unpatched CVEs, suggests a past susceptibility to a wide range of attack types such as code injection, path traversal, and SQL injection. This history, coupled with the presence of older WordPress ecosystem issues like CSRF and unrestricted uploads, indicates that while the current version might be free of known critical flaws, a history of significant vulnerabilities requires ongoing vigilance and thorough testing.

Key Concerns

  • Dangerous functions (create_function, unserialize)
  • Flows with unsanitized paths
  • History of 2 critical CVEs
  • History of 6 high CVEs
  • History of 13 medium CVEs
  • SQL queries not using prepared statements
Vulnerabilities
22

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Security Vulnerabilities

CVEs by Year

2 CVEs in 2015
2015
1 CVE in 2017
2017
3 CVEs in 2018
2018
1 CVE in 2019
2019
2 CVEs in 2020
2020
1 CVE in 2021
2021
6 CVEs in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
3 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
2
High
6
Medium
13
Low
1

22 total CVEs

CVE-2026-2830medium · 6.1Improper Control of Generation of Code ('Code Injection')

WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath'

Mar 5, 2026 Patched in 4.0.1 (1d)
CVE-2025-12733high · 8.8Improper Control of Generation of Code ('Code Injection')

Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic

Nov 12, 2025 Patched in 4.0.0 (1d)
CVE-2025-10001high · 7.2Unrestricted Upload of File with Dangerous Type

Import any XML, CSV or Excel File to WordPress <= 3.9.3 - Authenticated (Admin+) Limited Unsafe File Upload

Sep 9, 2025 Patched in 3.9.4 (1d)
CVE-2014-2054low · 3.7Dependency on Vulnerable Third-Party Component

Advanced Contact form 7 DB <= 2.0.8 & Import any XML, CSV or Excel File to WordPress <= 3.8.0 - Use of Vulnerable Component (PHPExcel)

Apr 7, 2025 Patched in 3.9.0 (1d)
CVE-2024-31939medium · 4.3Cross-Site Request Forgery (CSRF)

Import any XML or CSV File to WordPress <= 3.7.3 - Cross-Site Request Forgery to Notice Dismissal

Apr 10, 2024 Patched in 3.7.4 (8d)
CVE-2023-7082high · 7.2Unrestricted Upload of File with Dangerous Type

Import any XML or CSV File <= 3.7.2 - Authenticated (Admin+) Arbitrary File Upload

Dec 29, 2023 Patched in 3.7.3 (40d)
CVE-2022-2711medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Import any XML or CSV File to WordPress <= 3.6.8 - Authenticated (Administrator+) Arbitrary File Upload via Path Traversal

Oct 17, 2022 Patched in 3.6.9 (463d)
CVE-2022-3418medium · 6.5Unrestricted Upload of File with Dangerous Type

Import any XML or CSV File to WordPress <= 3.6.8 - Authenticated (Administrator+) Arbitrary File Upload

Oct 17, 2022 Patched in 3.6.9 (463d)
CVE-2022-2268medium · 4.8Improper Control of Generation of Code ('Code Injection')

WP All Import <= 3.6.7 - Admin+ Arbitrary File Upload

Jul 1, 2022 Patched in 3.6.8 (571d)
CVE-2022-1565high · 7.2Unrestricted Upload of File with Dangerous Type

Import any XML or CSV File to WordPress <= 3.6.7 - Admin+ Malicious File Upload

Jun 30, 2022 Patched in 3.6.8 (572d)
CVE-2022-36386critical · 9.1Improper Control of Generation of Code ('Code Injection')

WP All Import <= 3.6.7 - Authenticated (Administrator+) Arbitrary Code Execution

Jun 28, 2022 Patched in 3.6.8 (574d)
WF-6c06b79a-0803-4973-ba88-b97d7145f82b-wp-all-importmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import any XML or CSV File to WordPress <= 3.6.6 - Reflected Cross-Site Scripting

Jun 2, 2022 Patched in 3.6.7 (600d)
CVE-2021-24714medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import any XML or CSV File to WordPress <= 3.6.2 - Authenticated Stored Cross-Site Scripting

Nov 2, 2021 Patched in 3.6.3 (812d)
WF-52d390e0-95ca-4570-8d4c-f679ee86ffea-wp-all-importhigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Import any XML or CSV File to WordPress <= 3.2.4 - SQL Injection

Feb 19, 2020 Patched in 3.2.5 (1434d)
WF-6aae5b1d-9b84-4628-b0b6-7b39054e08a0-wp-all-importmedium · 6.3Missing Authorization

Import any XML or CSV File to WordPress <= 3.2.4 - Missing Authorization and Cross-Site Request Forgery Checks

Feb 19, 2020 Patched in 3.2.5 (1434d)
CVE-2015-9331high · 7.5Missing Authorization

Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks

Aug 20, 2019 Patched in 3.2.4 (1617d)
CVE-2018-0546medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP All Import <= 3.4.5 - Cross-Site Scripting

Mar 8, 2018 Patched in 3.4.6 (2147d)
CVE-2018-0547medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP All Import <= 3.4.6 - Cross-Site Scripting

Mar 8, 2018 Patched in 3.4.7 (2147d)
CVE-2018-20978medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import any XML or CSV File to WordPress <= 3.4.6 - Cross-Site Scripting

Mar 7, 2018 Patched in 3.4.7 (2148d)
CVE-2017-18567medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import any XML or CSV File to WordPress <= 3.4.5 - Cross-Site Scripting

Oct 8, 2017 Patched in 3.4.6 (2298d)
CVE-2015-9330critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Import any XML or CSV File to WordPress < 3.2.5 - SQL Injection

Mar 12, 2015 Patched in 3.2.5 (3239d)
CVE-2015-9329medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import any XML or CSV File to WordPress <= 3.2.4 - Reflected Cross-Site Scripting

Feb 26, 2015 Patched in 3.2.5 (3253d)
Code Analysis
Analyzed Mar 16, 2026

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Code Analysis

Dangerous Functions
3
Raw SQL Queries
58
88 prepared
Unescaped Output
89
1346 escaped
Nonce Checks
40
Capability Checks
15
File Operations
135
External Requests
9
Bundled Libraries
2

Dangerous Functions Found

create_function$filter = create_function('$str', 'return "http://" == $str || "ftp://" == $str ? "" : $str;');controllers\controller\admin.php:59
unserialize$value = @unserialize(trim($value), ['allowed_classes' => false]);helpers\functions.php:542
create_function$exception_handler = create_function('$e', 'trigger_error($e->getMessage(), E_USER_ERROR);');plugin.php:831

Bundled Libraries

Select2jQuery

SQL Query Safety

60% prepared146 total queries

Output Escaping

94% escaped1435 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

12 flows3 with unsanitized paths
bundle (controllers\admin\manage.php:201)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 32
actiontransition_post_statusactions\pmxi_after_xml_import.php:91
actiontransition_post_statusactions\pmxi_after_xml_import.php:92
actionpost_updatedactions\pmxi_after_xml_import.php:93
actionwp_enqueue_scriptsclasses\partner-discount-sdk\partner-discount-sdk.php:167
actionadmin_enqueue_scriptsclasses\partner-discount-sdk\partner-discount-sdk.php:168
filterpmxi_addonsclasses\rapidaddon.php:146
filterwp_all_import_addon_parseclasses\rapidaddon.php:147
filterwp_all_import_addon_importclasses\rapidaddon.php:148
filterwp_all_import_addon_saved_postclasses\rapidaddon.php:149
filterpmxi_options_optionsclasses\rapidaddon.php:150
filterwp_all_import_image_sectionsclasses\rapidaddon.php:151
filterpmxi_custom_typesclasses\rapidaddon.php:152
filterpmxi_post_list_orderclasses\rapidaddon.php:153
filterwp_all_import_post_type_imageclasses\rapidaddon.php:154
actionpmxi_extend_options_featuredclasses\rapidaddon.php:155
actionadmin_initclasses\rapidaddon.php:156
filterwp_all_import_acf_is_show_groupclasses\rapidaddon.php:221
filterwp_all_import_is_show_add_new_imagesclasses\rapidaddon.php:923
filterwp_all_import_is_allow_import_imagesclasses\rapidaddon.php:926
filterwp_all_import_is_images_section_enabledclasses\rapidaddon.php:975
actionadmin_noticesclasses\rapidaddon.php:1156
actionadmin_enqueue_scriptscontrollers\controller\admin.php:107
filteruser_has_capmodels\import\record.php:778
actionadmin_initplugin.php:308
actionadmin_initplugin.php:309
actioninitplugin.php:310
actionplugins_loadedplugin.php:312
filtercurrent_screenplugin.php:635
filteradmin_body_classplugin.php:636
actionadmin_noticesplugin.php:644
actionadmin_noticessrc\WordPress\AdminDismissibleNotice.php:43
actionadmin_noticessrc\WordPress\AdminNotice.php:40
Maintenance & Trust

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version7.4
Downloads5.3M

Community Trust

Rating94/100
Number of ratings1,957
Active installs100K
Alternatives

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Alternatives

Import WP – Export and Import CSV and XML files to WordPress

Import WP – Export and Import CSV and XML files to WordPress

jc-importer

A
90

Import WP, a simple, fast and powerful XML and CSV import solution, Making it easy to import posts, pages, categories, tags, users and attachments.

5K 5 CVEs
WP Smart Import : Import any XML File to WordPress

WP Smart Import : Import any XML File to WordPress

wp-smart-import

A
87

The most powerful solution for importing any CSV and XML files to WordPress. Create Posts and Pages any Custom Posttype with content from any XML or C &hellip;

1K 6 CVEs
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
WP All Import – Import Add-On for ACF

WP All Import – Import Add-On for ACF

csv-xml-import-for-acf

A
100

Drag & drop to import any CSV, Excel, XML, or Google Sheets file into Advanced Custom Fields. Supports repeaters, flexible content, galleries, and &hellip;

40K No CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
Developer Profile

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets Developer Profile

WP All Import

22 plugins · 207K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
1036 days
View full developer profile
Detection Fingerprints

How We Detect WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets