Does Export All Posts, Products, Orders, Refunds & Users have any unpatched vulnerabilities?

No. All known vulnerabilities in Export All Posts, Products, Orders, Refunds & Users have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Export All Posts, Products, Orders, Refunds & Users compatible with WordPress 6.9.4?

According to WordPress.org data, Export All Posts, Products, Orders, Refunds & Users 2.23.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Export All Posts, Products, Orders, Refunds & Users compatible with PHP 7.4+?

Export All Posts, Products, Orders, Refunds & Users requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is Export All Posts, Products, Orders, Refunds & Users's security score?

Export All Posts, Products, Orders, Refunds & Users has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Export All Posts, Products, Orders, Refunds & Users Security & Risk Analysis

wordpress.org/plugins/wp-ultimate-exporter

Export any WordPress website including WooCommerce data seamlessly with our powerful export plugin. Save records as CSV, XML, or Excel file for secure …

9K active installs v2.23.1 PHP 7.4+ WP 5.0+ Updated Mar 5, 2026

exportexport-ordersexport-woocommerce-productsproduct-exportwordpress-csv-export

B · Generally Safe

CVEs total9

Unpatched0

Last CVEDec 1, 2025

Plugin page Download

Safety Verdict

Is Export All Posts, Products, Orders, Refunds & Users Safe to Use in 2026?

Mostly Safe

Score 77/100

Export All Posts, Products, Orders, Refunds & Users is generally safe to use. 9 past CVEs were resolved. Keep it updated.

9 known CVEsLast CVE: Dec 1, 2025Updated 29d ago

Risk Assessment

The wp-ultimate-exporter plugin v2.23.1 exhibits a mixed security posture. While it has a reasonable number of AJAX handlers, a significant portion (4 out of 13) lack authentication checks, creating a notable attack surface. The presence of 55 dangerous function calls, particularly 'unserialize', coupled with a high volume of SQL queries with only 35% using prepared statements, raises concerns about potential vulnerabilities if inputs are not rigorously sanitized. The code analysis also identified one flow with an unsanitized path and a high severity taint flow, indicating potential for sensitive data exposure or unauthorized access.

The plugin's vulnerability history is a significant red flag, with 9 known CVEs, including 2 critical and 2 high severity ones. The common vulnerability types like CSRF, Deserialization of Untrusted Data, Path Traversal, and Code Injection are particularly worrying. The fact that there are currently no unpatched CVEs is positive, but the historical pattern suggests a recurring propensity for introducing security flaws. The last vulnerability being recorded in late 2025 is peculiar and might indicate an error in the provided data or a placeholder for future issues.

In conclusion, while the absence of bundled libraries and external HTTP requests are strengths, the numerous unprotected entry points, concerning code signals like 'unserialize' and insufficient SQL preparation, and a history of critical vulnerabilities necessitate a cautious approach. The identified taint flow and unsanitized path are direct evidence of exploitable risks that should be addressed promptly.

Key Concerns

Unprotected AJAX handlers
Dangerous function 'unserialize' used
Low percentage of prepared SQL statements
High severity taint flow identified
Flow with unsanitized path identified
Critical CVEs in vulnerability history
High CVEs in vulnerability history
Low percentage of properly escaped outputs

Vulnerabilities

Export All Posts, Products, Orders, Refunds & Users Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

1 CVE in 2018

2018

1 CVE in 2023

2023

5 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

9 total CVEs

CVE-2025-13606medium · 6.5Cross-Site Request Forgery (CSRF)

Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure

Dec 1, 2025 Patched in 2.20 (1d)

CVE-2025-2332critical · 9.8Deserialization of Untrusted Data

Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection

Mar 26, 2025 Patched in 2.14 (1d)

CVE-2024-12315high · 7.5Insecure Storage of Sensitive Information

Export All Posts, Products, Orders, Refunds & Users <= 2.9.3 - Information Disclosure Through Unprotected Directory

Feb 11, 2025 Patched in 2.10 (1d)

CVE-2025-24611medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP Ultimate Exporter <= 2.9 - Authenticated (Admin+) Arbitrary File Read

Jan 24, 2025 Patched in 2.9.1 (5d)

CVE-2024-56278medium · 4.1Improper Control of Generation of Code ('Code Injection')

WP Ultimate Exporter <= 2.9.1 - Authenticated (Admin+) Remote Code Execution

Jan 3, 2025 Patched in 2.9.2 (6d)

CVE-2023-2487medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Ultimate Exporter <= 2.4.1 - Unauthenticated Information Disclosure

Oct 3, 2023 Patched in 2.4.2 (112d)

CVE-2018-20968high · 8.8Cross-Site Request Forgery (CSRF)

Export WordPress Data with Advanced Filters <= 1.4.1 - Cross-Site Request Forgery

Dec 19, 2018 Patched in 1.4.2 (1861d)

CVE-2016-11000critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Export WordPress Data with Advanced Filters < 1.2 - SQL Injection

Feb 25, 2016 Patched in 1.2 (2889d)

WF-b269a5c9-9f0e-4dba-a06e-2d8dd94643b4-wp-ultimate-exportermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Ultimate Exporter < 1.1 - Reflected Cross-Site Scripting

Feb 24, 2016 Patched in 1.1 (2890d)

Code Analysis

Analyzed Mar 16, 2026

Export All Posts, Products, Orders, Refunds & Users Code Analysis

Dangerous Functions

Raw SQL Queries

269

145 prepared

Unescaped Output

23 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$data = unserialize($userMetaInfo->meta_value);exportExtensions\ExportExtension.php:901

unserialize$typefileds = unserialize($userMetaInfo->meta_value);exportExtensions\ExportExtension.php:923

unserialize$arg_data = unserialize($arg_data);exportExtensions\ExportExtension.php:1281

unserialize$instructor = unserialize($records['_llms_instructors']);exportExtensions\ExportExtension.php:1301

unserialize$recent_posts = unserialize($get_widget_value[$value]['option_value']);exportExtensions\ExportExtension.php:1358

unserialize$recent_pages = unserialize($get_widget_value[$value]['option_value']);exportExtensions\ExportExtension.php:1368

unserialize$recent_comments = unserialize($get_widget_value[$value]['option_value']);exportExtensions\ExportExtension.php:1382

unserialize$recent_archives = unserialize($get_widget_value[$value]['option_value']);exportExtensions\ExportExtension.php:1392

unserialize$recent_categories = unserialize($get_widget_value[$value]['option_value']);exportExtensions\ExportExtension.php:1402

unserialize$getRole = unserialize($capability);exportExtensions\ExportExtension.php:1670

unserialize$lang = unserialize($language);exportExtensions\ExportExtension.php:1750

unserialize$lang = unserialize($language);exportExtensions\ExportExtension.php:1758

unserialize$desc = unserialize($description);exportExtensions\ExportExtension.php:1768

unserialize$desc = unserialize($description);exportExtensions\ExportExtension.php:1788

unserialize$ticket_value = unserialize($ticket_meta_value);exportExtensions\ExportExtension.php:2441

unserialize$tickmemroles = unserialize($ticval->ticket_members_roles);exportExtensions\ExportExtension.php:2482

unserialize$ticket_value = unserialize($ticket_meta_value);exportExtensions\ExportExtension.php:2499

unserialize$media_value = unserialize($value);exportExtensions\ExportExtension.php:3373

unserialize$gal_value = unserialize($get_meta);exportExtensions\ExportExtension.php:3389

unserialize$checkbox_value = unserialize($value);exportExtensions\ExportExtension.php:3419

unserialize$checkbox_value = unserialize($value);exportExtensions\ExportExtension.php:3426

unserialize$jet_posts = unserialize($value);exportExtensions\ExportExtension.php:3437

unserialize$gal_value = unserialize($value);exportExtensions\ExportExtension.php:3458

unserialize$meta_value = unserialize($meta_value);exportExtensions\ExportExtension.php:3564

unserialize$checkValue = unserialize($meta_value);exportExtensions\JetCustomTableExport.php:89

unserialize$gal_value=unserialize($galleryval);exportExtensions\JetCustomTableExport.php:116

unserialize$media_value=unserialize($array_val);exportExtensions\JetCustomTableExport.php:142

unserialize$meta_value = unserialize($meta_value);exportExtensions\JetCustomTableExport.php:153

unserialize$meta_value = unserialize($meta_value);exportExtensions\JetCustomTableExport.php:166

unserialize$unser = @unserialize($meta_value);exportExtensions\JetCustomTableExport.php:211

unserialize$content = unserialize($value['post_content']);exportExtensions\PostExport.php:707

unserialize$rank_math = unserialize($rank_value);exportExtensions\PostExport.php:1011

unserialize$rank_robots = unserialize($rank_robots_value);exportExtensions\PostExport.php:1075

unserialize$value->meta_value = unserialize($value->meta_value);exportExtensions\PostExport.php:1089

unserialize$unser_relvalue = unserialize($get_jet_rel_value);exportExtensions\PostExport.php:1296

unserialize$downfiles = unserialize($value->meta_value);exportExtensions\PostExport.php:1372

unserialize$upselldata = unserialize($value->meta_value);exportExtensions\PostExport.php:1382

unserialize$cross_selldata = unserialize($value->meta_value);exportExtensions\PostExport.php:1393

unserialize$bundleselldata = unserialize($value->meta_value);exportExtensions\PostExport.php:1405

unserialize$grpdata = unserialize($value->meta_value);exportExtensions\PostExport.php:1418

unserialize$unserialize_faq_value = unserialize($faqs);exportExtensions\PostExport.php:1457

unserialize$value->meta_value = unserialize($value->meta_value);exportExtensions\PostExport.php:1487

unserialize$unmeta = unserialize($meta);exportExtensions\PostExport.php:1526

unserialize$acfva = unserialize($value->meta_value);exportExtensions\PostExport.php:1555

unserialize$value->meta_value = unserialize($value->meta_value);exportExtensions\PostExport.php:1587

unserialize$value->meta_value = unserialize($value->meta_value);exportExtensions\PostExport.php:1610

unserialize$unser = unserialize($value->meta_value);exportExtensions\PostExport.php:1771

unserialize$fieldset_values = unserialize($value->meta_value);exportExtensions\PostExport.php:1865

unserialize$meta_data = unserialize( $data->meta_value );exportExtensions\WooComExport.php:413

unserialize$meta_data = unserialize($data->meta_value);exportExtensions\WooComExport.php:467

unserialize$cat_meta = unserialize($termMeta['cat_meta'][0]);exportExtensions\WooComExport.php:1518

unserialize$answers = unserialize($answers);exportExtensions\WooComExport.php:1940

unserialize$instructor=unserialize($records['_llms_instructors']);exportExtensions\WPQueryExport.php:330

unserialize$data = unserialize($userMetaInfo->meta_value);exportExtensions\WPQueryExport.php:426

unserialize$typefileds = unserialize($userMetaInfo->meta_value);exportExtensions\WPQueryExport.php:462

SQL Query Safety

35% prepared414 total queries

Output Escaping

47% escaped49 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

downloadFunction (exportExtensions\ExportExtension.php:109)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Export All Posts, Products, Orders, Refunds & Users Attack Surface

Entry Points13

Unprotected4

AJAX Handlers 13

authwp_ajax_parse_dataexportExtensions\ExportExtension.php:90

noprivwp_ajax_parse_dataexportExtensions\ExportExtension.php:94

authwp_ajax_total_recordsexportExtensions\ExportExtension.php:98

authwp_ajax_get_downloadexportExtensions\ExportExtension.php:102

authwp_ajax_get_post_typesexportExtensions\ExportHandler.php:28

authwp_ajax_get_taxonomiesexportExtensions\ExportHandler.php:29

authwp_ajax_get_authorsexportExtensions\ExportHandler.php:30

authwp_ajax_wpquery_dataexportExtensions\WPQueryExport.php:42

noprivwp_ajax_wpquery_dataexportExtensions\WPQueryExport.php:43

authwp_ajax_get_plugin_noticewp-ultimate-exporter.php:105

authwp_ajax_upgrade_notices_csv_browp-ultimate-exporter.php:107

noprivwp_ajax_upgrade_notices_csv_browp-ultimate-exporter.php:108

authwp_ajax_dismiss_noticewp-ultimate-exporter.php:109

WordPress Hooks 3

actionadmin_noticeswp-ultimate-exporter.php:95

actionplugins_loadedwp-ultimate-exporter.php:192

actionadmin_noticeswp-ultimate-exporter.php:225

Maintenance & Trust

Export All Posts, Products, Orders, Refunds & Users Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version7.4

Downloads459K

Community Trust

Rating66/100

Number of ratings15

Active installs9K

Alternatives

Export All Posts, Products, Orders, Refunds & Users Alternatives

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, …

90K 7 CVEs

WP All Export – Product Export Add-On for WooCommerce

product-export-for-woocommerce

100

Drag & drop to export products to CSV, Excel, or XML files of any format. Supports variations, images, attributes, brands, and more with powerful …

10K No CVEs

Import WooCommerce Suite

import-woocommerce

100

Use the WooCommerce Import Suite to import Products, Orders, Coupons, Customers, and Reviews with ease. Requires the WP Ultimate CSV Importer Free plu …

4K 1 CVE

Advanced Order Export For WooCommerce

woo-order-export-lite

Export WooCommerce orders to Excel, CSV, XML, JSON, PDF and HTML. Best free order export plugin for WooCommerce.

100K 8 CVEs

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord …

100K 7 CVEs

Developer Profile

Export All Posts, Products, Orders, Refunds & Users Developer Profile

Smackcoders Inc.,

20 plugins · 40K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

958 days

View full developer profile

Detection Fingerprints

How We Detect Export All Posts, Products, Orders, Refunds & Users

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-ultimate-exporter/assets/css/exporter.css/wp-content/plugins/wp-ultimate-exporter/assets/css/smack-exporter.css/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter.js/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter-backend.js/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter-frontend.js

Script Paths

/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter.js/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter-backend.js/wp-content/plugins/wp-ultimate-exporter/assets/js/smack-exporter-frontend.js

Version Parameters

wp-ultimate-exporter/assets/css/exporter.css?ver=wp-ultimate-exporter/assets/css/smack-exporter.css?ver=wp-ultimate-exporter/assets/js/smack-exporter.js?ver=wp-ultimate-exporter/assets/js/smack-exporter-backend.js?ver=wp-ultimate-exporter/assets/js/smack-exporter-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

smack-exporter-wrappersmack-exporter-content

HTML Comments

WP Ultimate Exporter. WP Ultimate Exporter plugin file. Copyright (C) 2010-2020, Smackcoders Inc - info@smackcoders.com This program is free software: you can redistribute it and/or modify+12 more

Data Attributes

data-exporter-iddata-nonce

JS Globals

smack_exporter_params

FAQ