WP All Import – Import SEO Settings for Yoast SEO Security & Risk Analysis

The "yoast-seo-settings-xml-csv-import" plugin v1.1.8 exhibits a mixed security posture. While it boasts a clean vulnerability history with no known CVEs and a small attack surface with no publicly exposed entry points like AJAX handlers, REST API routes, or shortcodes, significant concerns arise from its static code analysis. The presence of the `unserialize` function, especially without any explicit nonce or capability checks on the code paths utilizing it, presents a critical risk. Taint analysis confirms this by revealing two high-severity flows with unsanitized paths, strongly suggesting a potential for deserialization vulnerabilities if user-controlled data can reach these functions.

Despite the absence of known vulnerabilities, the static analysis findings indicate a critical oversight in secure coding practices. The reliance on `unserialize` without proper validation and sanitization is a well-known vector for remote code execution. The fact that the plugin performs file operations and has some outputs that are not properly escaped further compounds these risks, although the taint analysis points are the most concerning. The plugin's strengths lie in its lack of external dependencies and prepared SQL statements, but these are overshadowed by the potential for severe deserialization vulnerabilities.