WP-Safety

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Security & Risk Analysis

wordpress.org/plugins/wp-ultimate-csv-importer

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file …

20K active installs v7.39.2 PHP 7.4+ WP 5.0+ Updated Mar 11, 2026
csv-importerimport-exportwoocommerce-importwordpress-importxml-importer
88
A · Safe
CVEs total26
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Safe to Use in 2026?

Generally Safe

Score 88/100

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

26 known CVEsLast CVE: Feb 17, 2026Updated 23d ago
Risk Assessment

The wp-ultimate-csv-importer plugin exhibits a mixed security posture. While it demonstrates some good practices, such as a substantial number of nonce and capability checks relative to its attack surface, significant concerns remain. The presence of 5 AJAX handlers without authentication checks is a direct entry point for potential unauthorized actions. Furthermore, the high number of flows with unsanitized paths, including 3 critical severity taint flows, indicates a substantial risk of path traversal or arbitrary file access vulnerabilities. The plugin's vulnerability history, with 26 known CVEs, and a notable absence of recent unpatched vulnerabilities suggest a pattern of past security issues. While the recent absence of unpatched vulnerabilities is positive, the sheer volume and types of past vulnerabilities, including deserialization, code injection, and SQL injection, are alarming and suggest that foundational security issues have been recurrent.

Key Concerns

  • AJAX handlers without authentication checks
  • Taint flows with unsanitized paths (high severity)
  • Use of unserialize function
  • SQL queries not using prepared statements
  • Output not properly escaped
  • Large number of known CVEs
  • Past high severity vulnerability types
Vulnerabilities
26

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Security Vulnerabilities

CVEs by Year

4 CVEs in 2015
2015
1 CVE in 2018
2018
1 CVE in 2019
2019
7 CVEs in 2022
2022
4 CVEs in 2023
2023
7 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
15
Medium
11

26 total CVEs

CVE-2026-1317medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name

Feb 17, 2026 Patched in 7.38 (2d)
CVE-2025-14627medium · 6.4Server-Side Request Forgery (SSRF)

WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass

Jan 1, 2026 Patched in 7.36 (1d)
CVE-2025-13145high · 7.2Deserialization of Untrusted Data

WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import

Nov 18, 2025 Patched in 7.34 (1d)
CVE-2025-12732medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure

Nov 11, 2025 Patched in 7.33.1 (1d)
CVE-2025-10057high · 8.8Improper Control of Generation of Code ('Code Injection')

WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection

Sep 16, 2025 Patched in 7.29 (1d)
CVE-2025-10058high · 8.1External Control of File Name or Path

WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion

Sep 16, 2025 Patched in 7.28 (1d)
CVE-2025-10040high · 7.7Missing Authorization

WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure

Sep 9, 2025 Patched in 7.28 (1d)
CVE-2025-2008high · 8.8Unrestricted Upload of File with Dangerous Type

Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload

Mar 31, 2025 Patched in 7.19.1 (4d)
CVE-2025-2007high · 8.1Relative Path Traversal

Import Export Suite for CSV and XML Datafeed <= 7.19 - Authenticated (Subscriber+) Arbitrary File Deletion

Mar 25, 2025 Patched in 7.19.1 (11d)
CVE-2023-4140medium · 6.6Improper Privilege Management

WP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation

Aug 3, 2023 Patched in 7.9.9 (173d)
CVE-2023-4139high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

WP Ultimate CSV Importer <= 7.9.8 - Sensitive Information Exposure via Directory Listing

Aug 3, 2023 Patched in 7.9.9 (173d)
CVE-2023-4141high · 8Improper Control of Generation of Code ('Code Injection')

WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) PHP File Creation to Remote Code Execution

Aug 3, 2023 Patched in 7.9.9 (173d)
CVE-2023-4142high · 8Improper Control of Generation of Code ('Code Injection')

WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution

Aug 3, 2023 Patched in 7.9.9 (173d)
CVE-2022-3243high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Ultimate CSV Importer <= 6.5.7 - Authenticated (Administrator+) SQL Injection

Sep 20, 2022 Patched in 6.5.8 (490d)
CVE-2022-3244medium · 5.4Missing Authorization

WP Ultimate CSV Importer <= 6.5.7 - Missing Authorization

Sep 20, 2022 Patched in 6.5.8 (490d)
CVE-2022-1977medium · 4.1Server-Side Request Forgery (SSRF)

WP Ultimate CSV Importer <= 6.5.2 - Server-Side Request Forgery

Jun 2, 2022 Patched in 6.5.3 (600d)
CVE-2022-0360medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Ultimate CSV Importer <= 6.4.2 - Admin+ Stored Cross-Site Scripting

Jan 26, 2022 Patched in 6.4.3 (727d)
WF-69725919-490c-4357-872c-d8112af5fe40-wp-ultimate-csv-importerhigh · 7.1Missing Authorization

Import all XML, CSV & TXT into WordPress < 6.4.2 - Missing Authorization

Jan 17, 2022 Patched in 6.4.2 (736d)
WF-391ef7e0-d4e6-4c2e-b15e-65bdba190b69-wp-ultimate-csv-importermedium · 6.3Missing Authorization

Easy Drag And drop All Import : WP Ultimate CSV Importer < 6.4.1 - Missing Authorization Checks

Jan 12, 2022 Patched in 6.4.1 (741d)
WF-d21bebcc-8dba-407d-8a3a-b91d3cddd38f-wp-ultimate-csv-importerhigh · 8.8Unrestricted Upload of File with Dangerous Type

WP Ultimate CSV Importer <= 6.4.0 - Arbitrary File Upload

Jan 12, 2022 Patched in 6.4.1 (741d)
CVE-2018-20967high · 8.8Cross-Site Request Forgery (CSRF)

Easy Drag And drop All Import : WP Ultimate CSV Importer <= 5.6 - Cross-Site Request Forgery

Aug 13, 2019 Patched in 5.6.1 (1624d)
WF-45ba8203-a8a0-4330-a264-c2f555d09ef0-wp-ultimate-csv-importermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Import Export All WordPress Images, Users & Post Types <= 3.8.7 - Reflected Cross-Site Scripting

Jan 27, 2018 Patched in 3.8.8 (2187d)
CVE-2015-9306medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy Drag And drop All Import : WP Ultimate CSV Importer < 3.8.1 - Cross-Site Scripting

Aug 18, 2015 Patched in 3.8.1 (3080d)
CVE-2015-10125medium · 4.3Cross-Site Request Forgery (CSRF)

Import CSV or XML Datafeed With Ease <= 3.7.2 - Cross-Site Request Forgery

May 5, 2015 Patched in 3.7.3 (3201d)
WF-0d50f217-7a53-49bf-9ce9-9922d0b3e18b-wp-ultimate-csv-importerhigh · 7.5Improper Authentication

WP Ultimate CSV Importer <= 3.7 - Arbitrary File Read

Apr 27, 2015 Patched in 3.7.1 (3193d)
WF-7a46c049-367d-4a67-9607-c74ef0b96c71-wp-ultimate-csv-importerhigh · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Ultimate CSV Importer < 3.6.75 - Information Disclosure

Feb 22, 2015 Patched in 3.6.75 (3257d)
Code Analysis
Analyzed Mar 16, 2026

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Code Analysis

Dangerous Functions
40
Raw SQL Queries
538
416 prepared
Unescaped Output
126
220 escaped
Nonce Checks
50
Capability Checks
16
File Operations
115
External Requests
15
Bundled Libraries
0

Dangerous Functions Found

unserialize$get_field_content = unserialize( $acf_pro_fields->post_content );extensionModules\ACFExtension.php:84
unserialize$get_sub_field_content = unserialize( $get_sub_key->post_content );extensionModules\ACFExtension.php:91
unserialize$get_sub_field_content = unserialize( $acf_pro_group_fields->post_content );extensionModules\ACFExtension.php:132
unserialize$get_field_content = unserialize( $acf_pro_fields->post_content );extensionModules\ACFProExtension.php:103
unserialize$get_sub_field_content = unserialize( $get_sub_key->post_content );extensionModules\ACFProExtension.php:111
unserialize$get_sub_field_content = unserialize( $get_sub_key->post_content );extensionModules\ACFProExtension.php:124
unserialize$get_sub_field_content = unserialize( $acf_pro_repeater_fields->post_content );extensionModules\ACFProExtension.php:175
unserialize$get_sub_field_content = unserialize( $acf_pro_group_fields->post_content );extensionModules\ACFProExtension.php:205
unserialize$get_sub_field_content = unserialize( $acf_pro_fc_fields->post_content );extensionModules\ACFProExtension.php:233
unserialize$get_sub_field_content = unserialize( $get_sub_key->post_content );extensionModules\ACFProExtension.php:314
unserialize$relation_value = unserialize($relation_value);extensionModules\MetaBoxRelationsExtension.php:69
unserialize$unserialize_jet_cpt = unserialize($jet_cpt_fields);extensionModules\WordpressCustomExtension.php:103
unserialize$unserialize_jet_field_value = unserialize($jet_field_value);extensionModules\WordpressCustomExtension.php:117
unserialize$unser_custom_posts_wpml_sync_options = unserialize($get_custom_posts_wpml_sync_options);extensionModules\WPMLExtension.php:64
unserialize$get_type_field = unserialize($value_type['post_content']);importExtensions\ACFImport.php:142
unserialize$update_id = unserialize($get_relation_field);importExtensions\ACFImport.php:221
unserialize$update_id = unserialize($get_object_field);importExtensions\ACFImport.php:271
unserialize$update_id = unserialize($get_relation_field);importExtensions\ACFImport.php:337
unserialize$map_wpml = unserialize($mapped_fields_values);importExtensions\CoreFieldsImport.php:528
unserialize$map_wpml = unserialize($mapped_fields_values);importExtensions\CoreFieldsImport.php:599
unserialize$data = unserialize($dvalue);importExtensions\JetBookingImport.php:63
unserialize$arg_data = unserialize($arg_data);importExtensions\JetEngineCCTImport.php:381
unserialize$stored_ids = unserialize(get_option('total_attachment_ids', ''));MediaHandling.php:1619
unserialize$get_stored_ids = unserialize(get_option('total_attachment_ids', ''));MediaHandling.php:1621
unserialize$stored_ids = unserialize(get_option('total_attachment_ids', ''));MediaHandling.php:1629
unserialize$stored_data = unserialize(get_option($option_name, ''));MediaHandling.php:1638
unserialize$stored_data = unserialize($stored_data);MediaHandling.php:1641
unserialize$stored_data = unserialize(get_option($option_name, ''));MediaHandling.php:1645
unserialize$map = unserialize($mapped_fields_values);SaveMapping.php:474
unserialize$this->manage_filter = unserialize($mapping_filter);SaveMapping.php:475
unserialize$map = unserialize($mapped_fields_values);SaveMapping.php:1425
unserialize$read_state = unserialize($read_text_ser);SaveMapping.php:1482
unserialize$read_states = unserialize($read_text_sers);SaveMapping.php:1492
unserialize$read_state = unserialize($read_text_ser);SaveMapping.php:1558
unserialize$read_states = unserialize($read_text_sers);SaveMapping.php:1568
unserialize$read_state = unserialize($read_text_ser);SaveMapping.php:1661
unserialize$read_states = unserialize($read_text_sers);SaveMapping.php:1671
unserialize$stored_ids = unserialize(get_option('total_attachment_ids', ''));SaveMapping.php:2239
unserialize$stored_ids = unserialize(get_option('failed_attachment_ids', ''));SaveMapping.php:2245
unserialize$map = unserialize($mapped_fields_values);SmackcliHandler.php:79

SQL Query Safety

44% prepared954 total queries

Output Escaping

64% escaped346 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

25 flows9 with unsanitized paths
upload_function (uploadModules\DesktopUpload.php:51)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Attack Surface

Entry Points52
Unprotected5

AJAX Handlers 52

authwp_ajax_helperImportcontrollers\HelperExtension.php:45
authwp_ajax_helperSearchcontrollers\HelperExtension.php:46
authwp_ajax_needHelpercontrollers\NeedHelperExtension.php:45
authwp_ajax_security_performancecontrollers\Security.php:40
authwp_ajax_active_addonscontrollers\Security.php:41
authwp_ajax_settings_optionscontrollers\SendPassword.php:40
authwp_ajax_get_optionscontrollers\SendPassword.php:41
authwp_ajax_get_settingcontrollers\SendPassword.php:42
authwp_ajax_support_mailcontrollers\SupportMail.php:40
authwp_ajax_toolset_statecontrollers\SupportMail.php:41
authwp_ajax_send_subscribe_emailcontrollers\SupportMail.php:42
authwp_ajax_LineChartDashboard.php:18
authwp_ajax_BarChartDashboard.php:19
authwp_ajax_displayCSVDragandDropExtension.php:17
authwp_ajax_total_recordsexportExtensions\ExportExtension.php:50
authwp_ajax_check_exportexportExtensions\ExportExtension.php:51
authwp_ajax_mappingfieldsextensionModules\MappingExtension.php:25
authwp_ajax_updatefieldsImportConfiguration.php:17
authwp_ajax_check_importimportExtensions\ImportHelpers.php:32
authwp_ajax_install_pluginsInstallAddons.php:38
authwp_ajax_install_addonInstallAddons.php:39
authwp_ajax_display_logmanagerExtensions\LogManager.php:21
authwp_ajax_download_logmanagerExtensions\LogManager.php:22
authwp_ajax_download_media_logmanagerExtensions\LogManager.php:23
authwp_ajax_download_failed_logmanagerExtensions\LogManager.php:24
authwp_ajax_delete_logmanagerExtensions\LogManager.php:25
authwp_ajax_zip_uploadMediaHandling.php:21
authwp_ajax_image_optionsMediaHandling.php:22
authwp_ajax_delete_imageMediaHandling.php:23
authwp_ajax_saveMappedFieldsSaveMapping.php:29
authwp_ajax_StartImportSaveMapping.php:30
authwp_ajax_GetProgressSaveMapping.php:31
authwp_ajax_ImportStateSaveMapping.php:32
authwp_ajax_ImportStopSaveMapping.php:33
authwp_ajax_checkmain_modeSaveMapping.php:34
authwp_ajax_close_notification_actionSaveMapping.php:35
authwp_ajax_bulk_file_importSaveMapping.php:36
authwp_ajax_bulk_importSaveMapping.php:37
authwp_ajax_PauseImportSaveMapping.php:38
authwp_ajax_ResumeImportSaveMapping.php:39
authwp_ajax_DeactivateMailSaveMapping.php:40
authwp_ajax_smackuci_check_review_popupSaveMapping.php:41
noprivwp_ajax_smackuci_check_review_popupSaveMapping.php:42
authwp_ajax_handle_export_csvSingleImportExport.php:22
authwp_ajax_handle_import_csvSingleImportExport.php:23
authwp_ajax_get_desktopuploadModules\DesktopUpload.php:22
authwp_ajax_oneClickUploaduploadModules\DesktopUpload.php:23
authwp_ajax_get_csv_delimiteruploadModules\DesktopUpload.php:24
authwp_ajax_get_ftp_urluploadModules\FtpUpload.php:24
authwp_ajax_get_ftp_detailsuploadModules\FtpUpload.php:25
authwp_ajax_get_csv_urluploadModules\UrlUpload.php:25
authwp_ajax_get_parse_xmluploadModules\XmlHandler.php:17
WordPress Hooks 15
actionadmin_initSmackCSVImporterInstall.php:44
actionadmin_initSmackCSVImporterInstall.php:45
actioninitwp-ultimate-csv-importer.php:93
actionadmin_initwp-ultimate-csv-importer.php:95
actionadmin_enqueue_scriptswp-ultimate-csv-importer.php:102
actionadmin_noticeswp-ultimate-csv-importer.php:107
actionadmin_initwp-ultimate-csv-importer.php:108
actionadmin_menuwp-ultimate-csv-importer.php:211
filterhttps_local_ssl_verifywp-ultimate-csv-importer.php:268
filterhttps_ssl_verifywp-ultimate-csv-importer.php:269
actionadmin_bar_menuwp-ultimate-csv-importer.php:286
actionwp_headwp-ultimate-csv-importer.php:287
actionadmin_enqueue_scriptswp-ultimate-csv-importer.php:327
actionplugins_loadedwp-ultimate-csv-importer.php:623
actionadmin_headwp-ultimate-csv-importer.php:638
Maintenance & Trust

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.4
Downloads2.2M

Community Trust

Rating88/100
Number of ratings575
Active installs20K
Alternatives

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Alternatives

Order Export & Order Import for WooCommerce

Order Export & Order Import for WooCommerce

order-import-export-for-woocommerce

A
90

The best order export import plugin for WooCommerce. Easily import and export WooCommerce orders and WooCommerce coupons using CSV.

60K 7 CVEs
Importe CSV

Importe CSV

importe-csv

A
85

Import CSV

10 No CVEs
VE CSV Importer

VE CSV Importer

ve-csv-importer

A
85

Import Pages/Posts with post category from CSV files into WordPress.

10 No CVEs
Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
Export and Import Users and Customers

Export and Import Users and Customers

users-customers-import-export-for-wp-woocommerce

A
95

Import and export WordPress users and WooCommerce customers using CSV. Migrate to your new site without any data loss.

60K 9 CVEs
Developer Profile

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress Developer Profile

Smackcoders Inc.,

20 plugins · 40K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
958 days
View full developer profile
Detection Fingerprints

How We Detect WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-ultimate-csv-importer/css/dashboard.css/wp-content/plugins/wp-ultimate-csv-importer/css/importer.css/wp-content/plugins/wp-ultimate-csv-importer/css/media.css/wp-content/plugins/wp-ultimate-csv-importer/css/pattern.css/wp-content/plugins/wp-ultimate-csv-importer/css/settings.css/wp-content/plugins/wp-ultimate-csv-importer/css/smack-ui.css/wp-content/plugins/wp-ultimate-csv-importer/css/support.css/wp-content/plugins/wp-ultimate-csv-importer/js/dashboard.js+6 more
Script Paths
/wp-content/plugins/wp-ultimate-csv-importer/js/dashboard.js/wp-content/plugins/wp-ultimate-csv-importer/js/importer.js/wp-content/plugins/wp-ultimate-csv-importer/js/media.js/wp-content/plugins/wp-ultimate-csv-importer/js/pattern.js/wp-content/plugins/wp-ultimate-csv-importer/js/settings.js/wp-content/plugins/wp-ultimate-csv-importer/js/smack-ui.js+1 more
Version Parameters
wp-ultimate-csv-importer/css/dashboard.css?ver=wp-ultimate-csv-importer/css/importer.css?ver=wp-ultimate-csv-importer/css/media.css?ver=wp-ultimate-csv-importer/css/pattern.css?ver=wp-ultimate-csv-importer/css/settings.css?ver=wp-ultimate-csv-importer/css/smack-ui.css?ver=wp-ultimate-csv-importer/css/support.css?ver=wp-ultimate-csv-importer/js/dashboard.js?ver=wp-ultimate-csv-importer/js/importer.js?ver=wp-ultimate-csv-importer/js/media.js?ver=wp-ultimate-csv-importer/js/pattern.js?ver=wp-ultimate-csv-importer/js/settings.js?ver=wp-ultimate-csv-importer/js/smack-ui.js?ver=wp-ultimate-csv-importer/js/support.js?ver=

HTML / DOM Fingerprints

CSS Classes
smack-dashboardsmack-fieldsmack-import-formsmack-rowsmack-upload-wrappersmack-settings-sectionsmack-ui-buttonsmack-ui-modal+1 more
HTML Comments
Copyright (C) 2010-2020, Smackcoders Inc - info@smackcoders.comWP Ultimate CSV Importer plugin file.
Data Attributes
data-smack-iddata-smack-action
JS Globals
smack_csv_importer_varssmack_dashboard_varssmack_media_varssmack_pattern_varssmack_settings_varssmack_support_vars
REST Endpoints
/wp-json/smackcsv/v1/import/wp-json/smackcsv/v1/export
FAQ

Frequently Asked Questions about WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress