WP-Safety

XML for Avito Security & Risk Analysis

wordpress.org/plugins/xml-for-avito

Создаёт XML-feed для загрузки на Авито.

100 active installs v2.5.11 PHP 7.4.0+ WP 5.0+ Updated Dec 29, 2025
avitoexportmarketwoocommercexml
99
A · Safe
CVEs total1
Unpatched0
Last CVEJan 10, 2025
Plugin page Download
Safety Verdict

Is XML for Avito Safe to Use in 2026?

Generally Safe

Score 99/100

XML for Avito has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 10, 2025Updated 3mo ago
Risk Assessment

The "xml-for-avito" plugin v2.5.11 exhibits a generally positive security posture with several good practices in place. The plugin demonstrates strong adherence to secure coding by utilizing prepared statements for all SQL queries and implementing a high percentage of proper output escaping. Furthermore, the absence of unprotected entry points like AJAX handlers, REST API routes, and shortcodes significantly reduces the immediate attack surface. The plugin also incorporates nonce and capability checks, indicating an awareness of common WordPress security mechanisms.

Key Concerns

  • Usage of unserialize function
  • Flows with unsanitized paths detected
  • Medium severity vulnerability historically
  • Non-critical but unsanitized taint flows
Vulnerabilities
1

XML for Avito Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-24646medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XML for Avito <= 2.5.2 - Reflected Cross-Site Scripting

Jan 10, 2025 Patched in 2.5.3 (47d)
Code Analysis
Analyzed Mar 16, 2026

XML for Avito Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
2 prepared
Unescaped Output
22
178 escaped
Nonce Checks
6
Capability Checks
4
File Operations
28
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$value = unserialize( xfavi_optionGET( $data_arr['opt_name'], $feed_id ) );classes\system\pages\settings-page\class-xfavi-settings-page.php:536

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

89% escaped200 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

14 flows5 with unsanitized paths
save_data (classes\system\pages\debug-page\class-xfavi-debug-page.php:357)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

XML for Avito Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 48
actionsave_postclasses\system\class-xfavi-interface-hocked.php:47
actionwoocommerce_save_product_variationclasses\system\class-xfavi-interface-hocked.php:48
filterwoocommerce_product_data_tabsclasses\system\class-xfavi-interface-hocked.php:53
actionadmin_footerclasses\system\class-xfavi-interface-hocked.php:54
actionwoocommerce_product_data_panelsclasses\system\class-xfavi-interface-hocked.php:55
actionwoocommerce_process_product_metaclasses\system\class-xfavi-interface-hocked.php:56
actionwoocommerce_product_after_variable_attributesclasses\system\class-xfavi-interface-hocked.php:57
actionproduct_cat_edit_form_fieldsclasses\system\class-xfavi-interface-hocked.php:60
actionedited_product_catclasses\system\class-xfavi-interface-hocked.php:61
actioncreate_product_catclasses\system\class-xfavi-interface-hocked.php:62
actionwp_loadedclasses\system\class-xfavi.php:285
actionadmin_initclasses\system\class-xfavi.php:286
actionadmin_initclasses\system\class-xfavi.php:287
actionadmin_menuclasses\system\class-xfavi.php:290
filterplugin_action_linksclasses\system\class-xfavi.php:291
filterupload_mimesclasses\system\class-xfavi.php:293
filtercron_schedulesclasses\system\class-xfavi.php:294
actionxfavi_cron_sborkiclasses\system\class-xfavi.php:296
actionxfavi_cron_periodclasses\system\class-xfavi.php:297
actionadmin_noticesclasses\system\class-xfavi.php:299
actionadmin_enqueue_scriptsclasses\system\class-xfavi.php:300
filterxfavi_f_feedback_additional_infoclasses\system\class-xfavi.php:303
actionadmin_noticesclasses\system\class-xfavi.php:330
actionmy_admin_noticesclasses\system\pages\debug-page\class-xfavi-debug-page.php:286
actionmy_admin_noticesclasses\system\pages\debug-page\class-xfavi-debug-page.php:306
actionadmin_footerclasses\system\pages\settings-page\class-xfavi-settings-page-feeds-wp-list-table.php:51
actionx4avi_activation_formsclasses\system\updates\class-xfavi-plugin-form-activate.php:55
actionxfavi_activation_formsclasses\system\updates\class-xfavi-plugin-form-activate.php:56
actionxfavi_before_support_projectclasses\system\updates\class-xfavi-plugin-form-activate.php:58
filterpre_site_transient_update_pluginsclasses\system\updates\class-xfavi-plugin-form-activate.php:210
actionadmin_noticesclasses\system\updates\class-xfavi-plugin-form-activate.php:218
filterpre_set_site_transient_update_pluginsclasses\system\updates\class-xfavi-plugin-upd.php:81
filterplugins_apiclasses\system\updates\class-xfavi-plugin-upd.php:83
filterupgrader_package_optionsclasses\system\updates\class-xfavi-plugin-upd.php:85
filterplugin_action_linksclasses\system\updates\class-xfavi-plugin-upd.php:86
actionadmin_noticesclasses\system\updates\class-xfavi-plugin-upd.php:193
actionadmin_noticesclasses\system\updates\class-xfavi-plugin-upd.php:222
actionadmin_print_footer_scriptscommon-libs\class-icpd-feedback-1-0-1.php:88
actionadmin_initcommon-libs\class-icpd-feedback-1-0-1.php:95
actionadmin_noticescommon-libs\class-icpd-feedback-1-0-1.php:96
filterwp_mail_content_typecommon-libs\class-icpd-feedback-1-0-1.php:281
actionadmin_print_footer_scriptscommon-libs\class-icpd-promo-1-1-1.php:140
actionprint_view_html_icpd_my_plugins_listcommon-libs\class-icpd-promo-1-1-1.php:141
actionadmin_noticesxml-for-avito.php:43
actionadmin_noticesxml-for-avito.php:65
actionbefore_woocommerce_initxml-for-avito.php:77
actionplugins_loadedxml-for-avito.php:135
actionplugins_loadedxml-for-avito.php:199

Scheduled Events 4

xfavi_cron_period
xfavi_cron_sborki
xfavi_cron_period
xfavi_cron_period
Maintenance & Trust

XML for Avito Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 29, 2025
PHP min version7.4.0
Downloads17K

Community Trust

Rating100/100
Number of ratings7
Active installs100
Alternatives

XML for Avito Alternatives

Mergado Pack

Mergado Pack

mergado-marketing-pack

C
56

Connect your online store to the e-commerce world and get even more from hundreds shopping channels

800 2 unpatched
XML for Hotline

XML for Hotline

xml-for-hotline

A
92

Creates a XML-feed to upload to Hotline.ua.

100 No CVEs
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
YML for Yandex Market

YML for Yandex Market

yml-for-yandex-market

A
98

Creates a YML-feed to upload to Yandex Market and not only.

10K 3 CVEs
Developer Profile

XML for Avito Developer Profile

icopydoc

14 plugins · 16K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
102 days
View full developer profile
Detection Fingerprints

How We Detect XML for Avito

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/xml-for-avito/css/style.css/wp-content/plugins/xml-for-avito/css/custom.css/wp-content/plugins/xml-for-avito/css/bootstrap.min.css/wp-content/plugins/xml-for-avito/css/font-awesome.min.css/wp-content/plugins/xml-for-avito/css/bootstrap-select.min.css/wp-content/plugins/xml-for-avito/js/script.js/wp-content/plugins/xml-for-avito/js/bootstrap.min.js/wp-content/plugins/xml-for-avito/js/bootstrap-select.min.js+3 more
Script Paths
/wp-content/plugins/xml-for-avito/js/script.js/wp-content/plugins/xml-for-avito/js/bootstrap.min.js/wp-content/plugins/xml-for-avito/js/bootstrap-select.min.js/wp-content/plugins/xml-for-avito/js/custom.js/wp-content/plugins/xml-for-avito/js/jquery.colorbox.js/wp-content/plugins/xml-for-avito/js/tinymce/tinymce.min.js
Version Parameters
xml-for-avito/css/style.css?ver=xml-for-avito/css/custom.css?ver=xml-for-avito/css/bootstrap.min.css?ver=xml-for-avito/css/font-awesome.min.css?ver=xml-for-avito/css/bootstrap-select.min.css?ver=xml-for-avito/js/script.js?ver=xml-for-avito/js/bootstrap.min.js?ver=xml-for-avito/js/bootstrap-select.min.js?ver=xml-for-avito/js/custom.js?ver=xml-for-avito/js/jquery.colorbox.js?ver=xml-for-avito/js/tinymce/tinymce.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
xfavi_inputxfavi_selectxfavi_textareaxfavi_settings_pagexfavi_debug_pagexfavi_error_logxfavi_settings_sectionxfavi_field_wrap+1 more
HTML Comments
<!-- xml for avito settings --><!-- xml for avito debug --><!-- xml for avito error log -->
Data Attributes
data-xfavi-iddata-xfavi-typedata-xfavi-toggledata-xfavi-target
JS Globals
XFAVI_ADMIN_AJAX_URLXFAVI_AJAX_URLxfavi_tinymce_init
FAQ

Frequently Asked Questions about XML for Avito