WP-Safety

WP Smart Import : Import any XML File to WordPress Security & Risk Analysis

wordpress.org/plugins/wp-smart-import

The most powerful solution for importing any CSV and XML files to WordPress. Create Posts and Pages any Custom Posttype with content from any XML or C …

1K active installs v1.1.5 PHP 5.3+ WP 4.0+ Updated Nov 29, 2025
csvimporterwordpress-csv-importwordpress-importerxml
87
A · Safe
CVEs total6
Unpatched0
Last CVEMay 21, 2025
Plugin page Download
Safety Verdict

Is WP Smart Import : Import any XML File to WordPress Safe to Use in 2026?

Generally Safe

Score 87/100

WP Smart Import : Import any XML File to WordPress has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: May 21, 2025Updated 5mo ago
Risk Assessment

The "wp-smart-import" plugin v1.1.5 presents a significant security risk primarily due to its large, unprotected attack surface. All 11 AJAX handlers lack authentication checks, making them prime targets for unauthorized actions. While the code demonstrates good practices in SQL query preparation and output escaping, the presence of the `unserialize` function is a critical concern, especially when combined with unsanitized input paths identified in the taint analysis. The taint analysis reveals 9 high-severity flows with unsanitized paths, indicating a strong potential for Remote File Inclusion or similar vulnerabilities.

The plugin's vulnerability history, with 6 known CVEs including 2 critical ones, further exacerbates the risk. The common vulnerability types like PHP Remote File Inclusion and SSRF, coupled with a recent critical vulnerability in 2025, suggest a pattern of exploitable flaws. While there are currently no unpatched vulnerabilities, the historical trend and the static analysis findings point to a plugin that has historically struggled with robust security, requiring diligent patching and careful handling of user-provided data.

Key Concerns

  • All 11 AJAX handlers lack auth checks
  • 9 high severity taint flows with unsanitized paths
  • Dangerous function: unserialize found
  • 2 critical CVEs in vulnerability history
  • Large attack surface without auth checks (11 entry points)
  • Capability checks missing on AJAX handlers
Vulnerabilities
6 published

WP Smart Import : Import any XML File to WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
Medium
4

6 total CVEs

CVE-2025-47453critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WP Smart Import <= 1.1.3 - Unauthenticated Local File Inclusion

May 21, 2025 Patched in 1.1.4 (9d)
CVE-2024-12701medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting

Jan 3, 2025 Patched in 1.1.3 (1d)
CVE-2024-32597medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Smart Import : Import any XML File to WordPress <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting

Apr 16, 2024 Patched in 1.1.0 (9d)
CVE-2024-30201medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Importer <= 1.0.4 - Reflected Cross-Site Scripting

Mar 25, 2024 Patched in 1.0.5 (8d)
CVE-2022-40209medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Importer: Import any XML File to WordPress <= 1.0.2 - Reflected Cross-Site Scripting

Oct 11, 2022 Patched in 1.0.3 (469d)
CVE-2020-24147critical · 9.1Server-Side Request Forgery (SSRF)

WordPress Importer : Import any XML File to WordPress < 1.0.1 - Server-Side Request Forgery

Apr 13, 2021 Patched in 1.0.1 (1015d)
Version History

WP Smart Import : Import any XML File to WordPress Release Timeline

v1.1.5Current
v1.1.4
v1.1.31 CVE
CVE-2025-47453
v1.1.22 CVEs
CVE-2024-12701 CVE-2025-47453
v1.1.12 CVEs
CVE-2024-12701 CVE-2025-47453
v1.1.02 CVEs
CVE-2024-12701 CVE-2025-47453
v1.0.73 CVEs
CVE-2024-12701 CVE-2024-32597 CVE-2025-47453
v1.0.63 CVEs
CVE-2024-12701 CVE-2024-32597 CVE-2025-47453
v1.0.53 CVEs
CVE-2024-12701 CVE-2024-32597 CVE-2025-47453
v1.0.44 CVEs
CVE-2024-30201 CVE-2024-12701 CVE-2024-32597 +1 more
v1.0.34 CVEs
CVE-2024-30201 CVE-2024-12701 CVE-2024-32597 +1 more
v1.0.25 CVEs
CVE-2024-30201 CVE-2022-40209 CVE-2024-12701 +2 more
Code Analysis
Analyzed Mar 16, 2026

WP Smart Import : Import any XML File to WordPress Code Analysis

Dangerous Functions
4
Raw SQL Queries
1
29 prepared
Unescaped Output
23
379 escaped
Nonce Checks
23
Capability Checks
0
File Operations
7
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$post_data = wpsi_helper::TrimArray( unserialize( $data->post_data, array( 'allowed_classes' => arraincludes\admin_ajax.php:459
unserialize$post_data = unserialize( $data->post_data, array( 'allowed_classes' => array( 'wpsi_epostdata' ) ) views\admin\manage\edit.php:14
unserialize$options = unserialize( $data->options, array( 'allowed_classes' => array( 'wpsi_uoption' ) ) );views\admin\manage\update.php:18
unserialize$post_data = unserialize( $data->post_data, array( 'allowed_classes' => array( 'wpsi_upostdata' ) ) views\admin\manage\update.php:19

SQL Query Safety

97% prepared30 total queries

Output Escaping

94% escaped402 total outputs
Data Flows · Security
9 unsanitized

Data Flow Analysis

17 flows9 with unsanitized paths
wpsi_xml_preview (includes\admin_ajax.php:307)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

WP Smart Import : Import any XML File to WordPress Attack Surface

Entry Points11
Unprotected11

AJAX Handlers 11

authwp_ajax_wpsi_file_uploadincludes\admin.php:61
authwp_ajax_wpsi_xml_previewincludes\admin.php:62
authwp_ajax_wpsi_images_previewincludes\admin.php:63
authwp_ajax_insert_termincludes\admin.php:64
authwp_ajax_wpsi_file_name_checkincludes\admin.php:65
noprivwp_ajax_wpsi_file_name_checkincludes\admin.php:66
authwp_ajax_wpsi_runImportincludes\admin.php:67
authwp_ajax_manage_importsincludes\admin.php:68
authwp_ajax_get_total_batch_for_importincludes\admin.php:69
authwp_ajax_manage_import_filesincludes\admin.php:70
authwp_ajax_get_total_batch_for_fileincludes\admin.php:71
WordPress Hooks 9
actionadmin_initincludes\admin.php:14
actioninitincludes\admin.php:15
actionadmin_enqueue_scriptsincludes\admin.php:16
actionwp_loadedincludes\admin.php:18
filterstyle_loader_srcincludes\admin.php:19
filterscript_loader_srcincludes\admin.php:20
filteradmin_body_classincludes\admin.php:30
actionadmin_menuincludes\admin_menu.php:7
actionplugins_loadedwp-smart-import.php:164
Maintenance & Trust

WP Smart Import : Import any XML File to WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 29, 2025
PHP min version5.3
Downloads66K

Community Trust

Rating78/100
Number of ratings12
Active installs1K
Alternatives

WP Smart Import : Import any XML File to WordPress Alternatives

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

wp-all-import

B
75

Easily import any file of any size into any plugin, post type, custom field, or taxonomy. Supports WooCommerce, ACF, images, galleries, users, real es &hellip;

100K 22 CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
Import WP – Export and Import CSV and XML files to WordPress

Import WP – Export and Import CSV and XML files to WordPress

jc-importer

A
90

Import WP, a simple, fast and powerful XML and CSV import solution, Making it easy to import posts, pages, categories, tags, users and attachments.

5K 5 CVEs
VE CSV Importer

VE CSV Importer

ve-csv-importer

A
85

Import Pages/Posts with post category from CSV files into WordPress.

10 No CVEs
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
Developer Profile

WP Smart Import : Import any XML File to WordPress Developer Profile

Xylus Themes

13 plugins · 110K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
105 days
View full developer profile
Detection Fingerprints

How We Detect WP Smart Import : Import any XML File to WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-smart-import/assets/css/style.css/wp-content/plugins/wp-smart-import/assets/js/main.js/wp-content/plugins/wp-smart-import/assets/js/jquery.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.validate.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.mCustomScrollbar.concat.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.easing.1.3.js/wp-content/plugins/wp-smart-import/assets/js/jquery.waypoints.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.counterup.min.js+21 more
Script Paths
/wp-content/plugins/wp-smart-import/assets/js/main.js/wp-content/plugins/wp-smart-import/assets/js/jquery.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.validate.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.mCustomScrollbar.concat.min.js/wp-content/plugins/wp-smart-import/assets/js/jquery.easing.1.3.js/wp-content/plugins/wp-smart-import/assets/js/jquery.waypoints.min.js+14 more
Version Parameters
wp-smart-import/assets/css/style.css?ver=wp-smart-import/assets/js/main.js?ver=wp-smart-import/assets/js/jquery.min.js?ver=wp-smart-import/assets/js/jquery.validate.min.js?ver=wp-smart-import/assets/js/jquery.mCustomScrollbar.concat.min.js?ver=wp-smart-import/assets/js/jquery.easing.1.3.js?ver=wp-smart-import/assets/js/jquery.waypoints.min.js?ver=wp-smart-import/assets/js/jquery.counterup.min.js?ver=wp-smart-import/assets/js/owl.carousel.js?ver=wp-smart-import/assets/js/isotope.min.js?ver=wp-smart-import/assets/js/isotope.pkgd.min.js?ver=wp-smart-import/assets/js/bootstrap.min.js?ver=wp-smart-import/assets/js/wow.min.js?ver=wp-smart-import/assets/js/custom.js?ver=wp-smart-import/assets/js/common_functions.js?ver=wp-smart-import/assets/js/wpsi_admin.js?ver=wp-smart-import/assets/js/wpsi_validate.js?ver=wp-smart-import/assets/js/wpsi_session.js?ver=wp-smart-import/assets/js/wpsi_uploader.js?ver=wp-smart-import/assets/js/wpsi_preview.js?ver=wp-smart-import/assets/js/wpsi_import_manager.js?ver=wp-smart-import/assets/css/jquery.mCustomScrollbar.css?ver=wp-smart-import/assets/css/owl.carousel.css?ver=wp-smart-import/assets/css/owl.theme.default.css?ver=wp-smart-import/assets/css/animate.css?ver=wp-smart-import/assets/css/responsive.css?ver=wp-smart-import/assets/css/custom.css?ver=wp-smart-import/assets/css/wpsi_admin.css?ver=wp-smart-import/assets/css/wpsi_responsive.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpsmartimport-plugin
Data Attributes
data-nonce
JS Globals
wpSmartImportwpsi_admin_obj
FAQ

Frequently Asked Questions about WP Smart Import : Import any XML File to WordPress