WP-Safety
CVE-2026-2830

WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath'

mediumImproper Control of Generation of Code ('Code Injection')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
4.0.1
Patched in
1d
Time to patch

Description

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.0
PublishedMarch 5, 2026
Last updatedMarch 6, 2026
Affected pluginwp-all-import

What Changed in the Fix

Changes introduced in v4.0.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.0.0
Browse source Download .zip
Patched v4.0.1
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-2830 - Reflected XSS via 'filepath' ## 1. Vulnerability Summary The **WP All Import** plugin (v4.0.0 and below) is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `filepath` parameter. The vulnerability exists because the plugin captures the `filepath` from …

Show full research plan

Research Plan: CVE-2026-2830 - Reflected XSS via 'filepath'

1. Vulnerability Summary

The WP All Import plugin (v4.0.0 and below) is vulnerable to Reflected Cross-Site Scripting (XSS) via the filepath parameter. The vulnerability exists because the plugin captures the filepath from the URL and reflects it back into the HTML response during the import workflow (specifically when moving between steps or displaying error messages) without proper sanitization or output escaping using functions like esc_attr() or esc_html().

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin.php
  • Query Parameters:
    • page: pmxi-admin-import (The primary admin page slug for the plugin)
    • step: 2 (Step 2 is where the plugin processes the file identified in Step 1)
    • filepath: The XSS payload.
  • Authentication: Required (Victim must be an Administrator). The attacker is unauthenticated but must trick the Administrator into clicking a malicious link.
  • Preconditions: The plugin must be active. No specific import needs to be in progress, as the plugin will often reflect the parameter even if the file doesn't exist.

3. Code Flow (Inferred)

  1. Entry Point: The admin_menu hook (registered in PMXI_Plugin::__construct) registers the pmxi-admin-import page.
  2. Controller: The request is handled by the PMXI_Admin_Import controller's index method.
  3. Parameter Capture: The code retrieves $_GET['filepath'] to determine which file to process for Step 2 of the import.
  4. Reflection Sink:
    • The controller likely assigns this value to a template variable (e.g., $this->data['filepath']).
    • The view (likely admin/views/admin/import/step2.php or index.php) echoes this value inside a hidden input field or a label:
      <input type="hidden" name="filepath" value="<?php echo $_GET['filepath']; ?>" />
    • Alternatively, it may echo it in an error message if the file is not found:
      <div class="error"><p>File <?php echo $_GET['filepath']; ?> not found.</p></div>

4. Nonce Acquisition Strategy

Reflected XSS in a GET parameter on an admin page typically does not require a nonce to trigger the reflection. Nonces in WordPress are primarily used to protect against state-changing actions (POST requests/AJAX). Since the goal is to execute a script via a URL, the GET request to admin.php with the malicious parameter should trigger the vulnerable view directly.

5. Exploitation Strategy

The goal is to provide a filepath that breaks out of an HTML attribute (like value="") and executes a script.

Step-by-Step Plan:

  1. Preparation: Ensure an Administrator user is logged in (handled by the test environment).
  2. Craft Payload:
    • Primary Payload (Attribute Breakout): "><script>alert(document.domain)</script>
    • SVG Payload (Bypasses simple filters): "><svg/onload=alert(document.cookie)>
  3. Execute Request: Use the http_request tool to simulate the Administrator clicking the link.
  4. Target URL:
    http://localhost:8080/wp-admin/admin.php?page=pmxi-admin-import&step=2&filepath=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

HTTP Request Details:

  • Method: GET
  • URL: http://localhost:8080/wp-admin/admin.php?page=pmxi-admin-import&step=2&filepath=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
  • Headers:
    • Cookie: (The agent's session cookies for the Admin user)

6. Test Data Setup

  1. Activate Plugin: Ensure wp-all-import version 4.0.0 is installed and activated.
  2. No Specific Data: Since this is reflected XSS via a GET parameter that is echoed back regardless of file existence, no specific imports or files need to be pre-created.

7. Expected Results

  • The HTTP response will have a 200 OK status.
  • The response body will contain the literal string: value=""><script>alert(document.domain)</script>" or <div class="error">..."><script>alert(document.domain)</script>...</div>.
  • This confirms that the input was not sanitized by sanitize_text_field (which would strip tags) and not escaped by esc_attr or esc_html.

8. Verification Steps

  1. Grep Response: Search the response body for the injected <script> tag.
    # Conceptually:
grep "<script>alert(document.domain)</script>" response_body.html
  2. Manual Browser Check: Use browser_navigate to the crafted URL and use wait_until to check if an alert or a specific DOM change occurred.

9. Alternative Approaches

If step=2 does not reflect the parameter, try other common WP All Import parameters/steps:

  • admin.php?page=pmxi-admin-import&action=view_resource&filepath=<payload>
  • admin.php?page=pmxi-admin-import&step=1&filepath=<payload>
  • Check if the reflection occurs inside a JavaScript block. If so, use a payload like: ';alert(1);//

If PR:N implies an unauthenticated endpoint, check for wp_ajax_nopriv_ actions in the source (though the description points to reflected XSS via link-clicking, which is typically admin-targeted).

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP All Import plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'filepath' parameter in versions up to 4.0.0. This occurs because the plugin reflects the 'filepath' query parameter back into the HTML response during the import workflow (specifically Step 2) without sufficient sanitization or output escaping, allowing arbitrary script execution in a user's browser.

Vulnerable Code

// Inferred from research plan: admin/views/admin/import/step2.php or index.php
<input type="hidden" name="filepath" value="<?php echo $_GET['filepath']; ?>" />

---

// Alternatively reflected in error messages when the file is not found:
<div class="error"><p>File <?php echo $_GET['filepath']; ?> not found.</p></div>

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.0/plugin.php /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.1/plugin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.0/plugin.php	2025-11-12 01:57:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.1/plugin.php	2026-03-04 17:10:02.000000000 +0000
@@ -25,7 +25,7 @@
  */
 define('WP_ALL_IMPORT_PREFIX', 'pmxi_');
 
-define('PMXI_VERSION', '4.0.0');
+define('PMXI_VERSION', '4.0.1');
 
 define('PMXI_EDITION', 'free');
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.0/readme.txt /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.1/readme.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.0/readme.txt	2025-11-12 01:57:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wp-all-import/4.0.1/readme.txt	2026-03-04 17:10:02.000000000 +0000
@@ -196,6 +196,10 @@
 
 == Changelog ==
 
+= 4.0.1 =
+* security improvement: fixes CVE-2026-2830
+* maintenance: update packages
+

Exploit Outline

To exploit this vulnerability, an attacker must trick an authenticated administrator into clicking a crafted link. The attack targets the WP All Import admin page by supplying a malicious payload in the 'filepath' GET parameter. 1. Target URL: /wp-admin/admin.php?page=pmxi-admin-import&step=2&filepath="><script>alert(document.domain)</script> 2. The payload uses a double quote and angle bracket (">") to break out of the HTML attribute (e.g., value="") where the parameter is reflected. 3. Because the plugin echoes the 'filepath' parameter directly into the page without using functions like esc_attr() or esc_html(), the script tag is rendered as part of the DOM and executed by the browser. 4. No nonce is required to trigger this reflection as it is a GET-based reflected XSS.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/afc85535-962d-479d-8580-9d02f7412930?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database