WP-Safety

WP Import Export Lite Security & Risk Analysis

wordpress.org/plugins/wp-import-export-lite

Complete Import & Export solution for Posts, Pages, Custom Post, Users, Taxonomies, Comments etc.

40K active installs v3.9.30 PHP 5.6+ WP 4.4+ Updated Aug 4, 2025
csvexportimportmigrateschedule
93
A · Safe
CVEs total5
Unpatched0
Last CVEAug 4, 2025
Download
Safety Verdict

Is WP Import Export Lite Safe to Use in 2026?

Generally Safe

Score 93/100

WP Import Export Lite has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Aug 4, 2025Updated 9mo ago
Risk Assessment

The wp-import-export-lite plugin v3.9.30 exhibits a concerning security posture, primarily due to its substantial attack surface exposed without adequate authentication. With all 39 identified AJAX handlers lacking authorization checks, this presents a significant risk for unauthorized access and execution of plugin functionalities. The static analysis also reveals the presence of dangerous `unserialize` functions, which, when combined with unsanitized input, can lead to deserialization vulnerabilities. While the plugin shows some good practices like a high percentage of prepared SQL statements and proper output escaping, these are overshadowed by the critical flaw of unprotected entry points and the historical prevalence of high-severity vulnerabilities including Cross-Site Scripting, Unrestricted File Upload, and Missing Authorization. The recent high-severity vulnerabilities indicate a recurring pattern of security weaknesses that attackers could potentially exploit, especially given the current lack of unpatched CVEs.

Although the current version has no unpatched CVEs, the historical data and the static analysis findings paint a picture of a plugin that requires significant attention to its security implementation. The 22 high-severity taint flows with unsanitized paths are particularly worrying, suggesting that user-supplied data is not being properly validated before being used in sensitive operations. The presence of `unserialize` further exacerbates this risk. While the use of DataTables and Guzzle as bundled libraries is not inherently a weakness, it's crucial to ensure these are kept up-to-date to avoid introducing known vulnerabilities. In conclusion, while there are some positive aspects like output escaping and prepared statements, the plugin's security is severely compromised by its large, unprotected attack surface and a history of critical and high-severity vulnerabilities. Further code review and hardening are strongly recommended.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous unserialize function present
  • High severity taint flows
  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
  • History of XSS vulnerabilities
  • History of Unrestricted Upload vulnerabilities
  • History of Deserialization vulnerabilities
  • History of Missing Authorization vulnerabilities
  • Bundled libraries (DataTables, Guzzle)
Vulnerabilities
5 published

WP Import Export Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
1

5 total CVEs

CVE-2025-5061high · 7.5Unrestricted Upload of File with Dangerous Type

WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload

Aug 4, 2025 Patched in 3.9.30 (168d)
CVE-2025-6207high · 7.5Unrestricted Upload of File with Dangerous Type

WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload

Aug 4, 2025 Patched in 3.9.29 (168d)
CVE-2025-2839medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Import Export Lite <= 3.9.27 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Apr 21, 2025 Patched in 3.9.28 (1d)
CVE-2024-31308high · 7.2Deserialization of Untrusted Data

WP Import Export Lite <= 3.9.26 - Authenticated (Administrator+) PHP Object Injection

Apr 5, 2024 Patched in 3.9.27 (7d)
CVE-2022-0236high · 7.5Missing Authorization

WP Import Export Lite & WP Import Export <= 3.9.15 - Unauthenticated Sensitive Data Disclosure

Jan 14, 2022 Patched in 3.9.16 (739d)
Version History

WP Import Export Lite Release Timeline

v3.9.30Current
v3.9.291 CVE
CVE-2025-5061
v3.9.282 CVEs
CVE-2025-6207 CVE-2025-5061
v3.9.273 CVEs
CVE-2025-6207 CVE-2025-5061 CVE-2025-2839
Code Analysis
Analyzed Mar 16, 2026

WP Import Export Lite Code Analysis

Dangerous Functions
2
Raw SQL Queries
22
115 prepared
Unescaped Output
126
543 escaped
Nonce Checks
3
Capability Checks
4
File Operations
188
External Requests
3
Bundled Libraries
2

Dangerous Functions Found

unserialize$this->{$key} = unserialize(serialize($val));vendor_deprecated\phpoffice\phpspreadsheet\src\PhpSpreadsheet\Spreadsheet.php:1010
unserialize$this->{$key} = unserialize(serialize($val));vendor_deprecated\phpoffice\phpspreadsheet\src\PhpSpreadsheet\Worksheet\Worksheet.php:2981

Bundled Libraries

DataTablesGuzzle

SQL Query Safety

84% prepared137 total queries

Output Escaping

81% escaped669 total outputs
Data Flows · Security
29 unsanitized

Data Flow Analysis

25 flows29 with unsanitized paths
wpie_tempalte_import (includes\classes\class-wpie-common-action.php:384)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
39 unprotected

WP Import Export Lite Attack Surface

Entry Points39
Unprotected39

AJAX Handlers 39

authwp_ajax_wpie_save_user_capincludes\classes\class-wpie-common-action.php:13
authwp_ajax_wpie_get_user_capincludes\classes\class-wpie-common-action.php:15
authwp_ajax_wpie_delete_tempaltesincludes\classes\class-wpie-common-action.php:17
authwp_ajax_wpie_tempalte_importincludes\classes\class-wpie-common-action.php:19
authwp_ajax_wpie_get_tempaltesincludes\classes\class-wpie-common-action.php:21
authwp_ajax_wpie_save_advance_optionincludes\classes\class-wpie-common-action.php:23
authwp_ajax_wpie_update_process_statusincludes\classes\class-wpie-common-action.php:25
authwp_ajax_wpie_save_bg_cron_processingincludes\classes\class-wpie-common-action.php:27
authwp_ajax_wpie_change_license_statusincludes\classes\class-wpie-common-action.php:29
authwp_ajax_wpie_ext_save_extensionsincludes\classes\class-wpie-extensions.php:21
authwp_ajax_wpie_ext_save_extension_dataincludes\classes\class-wpie-extensions.php:23
authwp_ajax_wpie_export_get_template_listincludes\classes\export\class-wpie-export-actions.php:21
authwp_ajax_wpie_export_get_settings_listincludes\classes\export\class-wpie-export-actions.php:23
authwp_ajax_wpie_export_save_templateincludes\classes\export\class-wpie-export-actions.php:25
authwp_ajax_wpie_export_get_template_dataincludes\classes\export\class-wpie-export-actions.php:27
authwp_ajax_wpie_export_records_countincludes\classes\export\class-wpie-export-actions.php:29
authwp_ajax_wpie_export_field_listincludes\classes\export\class-wpie-export-actions.php:31
authwp_ajax_wpie_export_get_rule_listincludes\classes\export\class-wpie-export-actions.php:33
authwp_ajax_wpie_export_create_dataincludes\classes\export\class-wpie-export-actions.php:35
authwp_ajax_wpie_export_update_dataincludes\classes\export\class-wpie-export-actions.php:37
authwp_ajax_wpie_export_prepare_fileincludes\classes\export\class-wpie-export-actions.php:39
authwp_ajax_wpie_export_get_preview_dataincludes\classes\export\class-wpie-export-actions.php:41
authwp_ajax_wpie_export_update_statusincludes\classes\export\class-wpie-export-actions.php:43
authwp_ajax_wpie_import_validate_uploadsincludes\classes\import\class-wpie-import-actions.php:23
authwp_ajax_wpie_import_get_filtered_recordsincludes\classes\import\class-wpie-import-actions.php:25
authwp_ajax_wpie_import_change_fileincludes\classes\import\class-wpie-import-actions.php:27
authwp_ajax_wpie_import_get_fieldsincludes\classes\import\class-wpie-import-actions.php:29
authwp_ajax_wpie_import_update_dataincludes\classes\import\class-wpie-import-actions.php:31
authwp_ajax_wpie_import_dataincludes\classes\import\class-wpie-import-actions.php:33
authwp_ajax_wpie_import_get_templatesincludes\classes\import\class-wpie-import-actions.php:35
authwp_ajax_wpie_import_get_settingsincludes\classes\import\class-wpie-import-actions.php:37
authwp_ajax_wpie_import_save_templatesincludes\classes\import\class-wpie-import-actions.php:39
authwp_ajax_wpie_import_get_template_dataincludes\classes\import\class-wpie-import-actions.php:41
authwp_ajax_wpie_import_update_statusincludes\classes\import\class-wpie-import-actions.php:43
authwp_ajax_wpie_import_get_configincludes\classes\import\class-wpie-import-actions.php:45
authwp_ajax_wpie_import_process_reimportincludes\classes\import\class-wpie-import-actions.php:47
authwp_ajax_wpie_import_set_existing_fileincludes\classes\import\extensions\existing-file\wpie_existing_file.php:15
authwp_ajax_wpie_import_local_upload_fileincludes\classes\import\extensions\local-upload\wpie_local_upload.php:15
authwp_ajax_wpie_import_upload_file_from_urlincludes\classes\import\extensions\url-upload\wpie_url_upload.php:15
WordPress Hooks 72
actionadmin_initincludes\classes\class-updates.php:49
filterwpie_get_export_remote_locationsincludes\classes\class-wpie-extensions.php:25
actionadmin_menuincludes\classes\class-wpie-general.php:21
actioninitincludes\classes\class-wpie-general.php:23
actionadmin_headincludes\classes\class-wpie-general.php:25
filteradmin_footer_textincludes\classes\class-wpie-general.php:27
filterupdate_footerincludes\classes\class-wpie-general.php:29
actionadmin_enqueue_scriptsincludes\classes\class-wpie-general.php:31
actionadmin_enqueue_scriptsincludes\classes\class-wpie-general.php:33
actioninitincludes\classes\class-wpie-general.php:35
actionadmin_noticesincludes\classes\class-wpie-general.php:37
filtermod_rewrite_rulesincludes\classes\class-wpie-general.php:39
actionadmin_initincludes\classes\class-wpie-general.php:41
filterrobots_txtincludes\classes\class-wpie-general.php:43
actionwp_loadedincludes\classes\class-wpie-general.php:45
actionshutdownincludes\classes\class-wpie-general.php:47
filterplugin_row_metaincludes\classes\class-wpie-general.php:49
actionplugins_loadedincludes\classes\class-wpie-general.php:56
filterwpmu_drop_tablesincludes\classes\class-wpie-general.php:58
filterwoocommerce_order_numberincludes\classes\class-wpie-general.php:60
filtercron_schedulesincludes\classes\class-wpie-schedule.php:11
actioncomments_clausesincludes\classes\export\class-wpie-comment.php:305
actionpre_user_queryincludes\classes\export\class-wpie-post.php:473
filterposts_whereincludes\classes\export\class-wpie-post.php:648
filterposts_joinincludes\classes\export\class-wpie-post.php:650
filterposts_groupbyincludes\classes\export\class-wpie-post.php:652
filterterms_clausesincludes\classes\export\class-wpie-taxonomy.php:395
actioninitincludes\classes\export\extensions\bg\class-wpie-bg.php:20
filterwpie_add_export_extension_process_btnincludes\classes\export\extensions\bg\class-wpie-bg.php:22
actionpre_user_queryincludes\classes\export\extensions\user\class-wpie-user.php:278
filterwpie_export_engine_initincludes\classes\export\extensions\user\wpie_user.php:8
filterwpie_prepare_post_fieldsincludes\classes\export\extensions\yoast-seo\wpie_yoast_seo.php:12
filterwpie_prepare_taxonomy_fieldsincludes\classes\export\extensions\yoast-seo\wpie_yoast_seo.php:14
filterwpie_prepare_export_addonsincludes\classes\export\extensions\yoast-seo\wpie_yoast_seo.php:16
actioninitincludes\classes\function.php:29
actioninitincludes\classes\import\class-wpie-import-actions.php:21
actionwpie_after_completed_item_importincludes\classes\import\compatibility\manager.php:22
actionwpie_after_post_importincludes\classes\import\compatibility\manager.php:23
actioninitincludes\classes\import\extensions\bg\class-wpie-bg.php:18
filterwpie_add_import_extension_process_btn_filesincludes\classes\import\extensions\bg\class-wpie-bg.php:20
filterwpie_import_upload_sectionsincludes\classes\import\extensions\existing-file\wpie_existing_file.php:13
filterwpie_import_upload_sectionsincludes\classes\import\extensions\local-upload\wpie_local_upload.php:13
filterwpie_import_upload_sectionsincludes\classes\import\extensions\url-upload\wpie_url_upload.php:13
filtersend_password_change_emailincludes\classes\import\extensions\user\class-wpie-user.php:245
filtersend_email_change_emailincludes\classes\import\extensions\user\class-wpie-user.php:246
actionafter_password_resetincludes\classes\import\extensions\user\class-wpie-user.php:254
actionregister_new_userincludes\classes\import\extensions\user\class-wpie-user.php:255
actionedit_user_created_userincludes\classes\import\extensions\user\class-wpie-user.php:256
filterwpie_import_engine_initincludes\classes\import\extensions\user\user.php:9
filterwpie_import_mapping_fields_fileincludes\classes\import\extensions\user\user.php:11
filterwpie_import_mapping_fieldsincludes\classes\import\extensions\user\wpie-user-fields.php:3
filterwpie_import_search_existing_itemincludes\classes\import\extensions\user\wpie-user-fields.php:203
filterwpie_import_update_existing_item_fieldsincludes\classes\import\extensions\user\wpie-user-fields.php:256
filterwpie_pre_post_field_mapping_sectionincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:12
filterwpie_pre_term_field_mapping_sectionincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:14
filterwpie_pre_user_field_mapping_sectionincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:16
filterwpie_pre_attribute_field_mapping_sectionincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:18
filterwpie_import_addonincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:20
filterwpie_import_yoast_addonincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:22
actionadmin_enqueue_scriptsincludes\classes\import\extensions\yoast-seo\wpie_yoast_seo.php:24
filterwpie_import_mapping_fieldsincludes\classes\import\fields\wpie-comments.php:4
filterwpie_import_search_existing_itemincludes\classes\import\fields\wpie-comments.php:259
filterwpie_import_update_existing_item_fieldsincludes\classes\import\fields\wpie-comments.php:310
filterwpie_import_mapping_fieldsincludes\classes\import\fields\wpie-post.php:4
filterwpie_import_search_existing_itemincludes\classes\import\fields\wpie-post.php:556
filterwpie_import_update_existing_item_fieldsincludes\classes\import\fields\wpie-post.php:619
filterwpie_import_mapping_fieldsincludes\classes\import\fields\wpie-taxonomy.php:4
filterwpie_import_search_existing_itemincludes\classes\import\fields\wpie-taxonomy.php:315
filterwpie_import_update_existing_item_fieldsincludes\classes\import\fields\wpie-taxonomy.php:366
actionplugins_loadedsupport\plugins\bbq_firewall.php:17
actionadmin_initwp-import-export-lite.php:17
actioninitwp-import-export-lite.php:193
Maintenance & Trust

WP Import Export Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 4, 2025
PHP min version5.6
Downloads918K

Community Trust

Rating80/100
Number of ratings113
Active installs40K
Alternatives

WP Import Export Lite Alternatives

All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
WP Migrate Lite – Migration Made Easy

WP Migrate Lite – Migration Made Easy

wp-migrate-db

A
99

Migrate your database. Export full sites including media, themes, and plugins. Find and replace content with support for serialized data.

200K 1 CVE
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
Import and export users and customers

Import and export users and customers

import-users-from-csv-with-meta

A
88

Import and export users and customers including user meta, roles, and other. Compatible with many plugins. Do it from the front end or using cron.

70K 23 CVEs
Developer Profile

WP Import Export Lite Developer Profile

vjinfotech

1 plugin · 40K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
217 days
View full developer profile
Detection Fingerprints

How We Detect WP Import Export Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-import-export-lite/assets/css/wpie-style.css/wp-content/plugins/wp-import-export-lite/assets/js/wpie-script.js/wp-content/plugins/wp-import-export-lite/assets/js/wpie-admin.js
Script Paths
/wp-content/plugins/wp-import-export-lite/assets/js/wpie-script.js/wp-content/plugins/wp-import-export-lite/assets/js/wpie-admin.js
Version Parameters
/wp-content/plugins/wp-import-export-lite/assets/css/wpie-style.css?ver=/wp-content/plugins/wp-import-export-lite/assets/js/wpie-script.js?ver=/wp-content/plugins/wp-import-export-lite/assets/js/wpie-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpie-new-exportwpie-new-importwpie-extensionswpie-settingswpie-manage-importwpie-manage-export
HTML Comments
<!--Added By WP Import Export Lite-->
Data Attributes
data-wpie-nonce
JS Globals
WPIE_AJAX_URLWPIE_POST_TYPE_ARRAYWPIE_PLUGIN_URLWPIE_UPLOAD_URLwpie_vars
REST Endpoints
/wp-json/wp-import-export-lite
FAQ

Frequently Asked Questions about WP Import Export Lite