VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Feb 07, 2025

WP All Import Pro Vulnerabilities

Review known vulnerability records for the WordPress plugin WP All Import Pro (`wp-all-import-pro`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-9661, CVE-2024-9664 and CVE-2024-8722, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
5
Patch Coverage
100%
Last Updated
Feb 07, 2025
Priority CVE Quick Links

Fast paths into WP All Import Pro CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2024-9624 High 4.9.4
CVE-2024-9624 WP All Import Pro Server-Side Request Forgery

WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import

CVE-2015-9331 High 4.1.1
CVE-2015-9331 WP All Import Pro Vulnerability

Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks

CVE-2024-9664 High 4.9.8
CVE-2024-9664 WP All Import Pro Vulnerability

WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) PHP Object Injection via Import File

CVE-2015-9329 Medium 4.1.2
CVE-2015-9329 WP All Import Pro Cross-Site Scripting

Import any XML or CSV File to WordPress <= 3.2.4 - Reflected Cross-Site Scripting

CVE-2024-8722 Medium 4.9.8
CVE-2024-8722 WP All Import Pro File Upload

WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

CVE-2024-9661 Medium 4.9.8
CVE-2024-9661 WP All Import Pro Cross-Site Request Forgery

WP All Import Pro <= 4.9.7 - Cross-Site Request Forgery to Imported Content Deletion

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP All Import Pro so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 5 high severity findings.
Recent CVEs
CVE-2024-9661, CVE-2024-9664 and CVE-2024-8722
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP All Import Pro

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-9661
CVE-2024-9661: WP All Import Pro <= 4.9.7 - Cross-Site Request Forgery to Imported Content Deletion

The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported con...

Published
Feb 07, 2025
Patched Release
4.9.8
Affected Versions
Versions up to 4.9.7
Next Step
Update to 4.9.8 or newer if supported.
Open CVE-2024-9661 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-9664
CVE-2024-9664: WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) PHP Object Injection via Import File

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above,...

Published
Feb 07, 2025
Patched Release
4.9.8
Affected Versions
Versions up to 4.9.7
Next Step
Update to 4.9.8 or newer if supported.
Open CVE-2024-9664 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8722
CVE-2024-8722: WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Published
Jan 18, 2025
Patched Release
4.9.8
Affected Versions
Versions up to 4.9.7
Next Step
Update to 4.9.8 or newer if supported.
Open CVE-2024-8722 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-9624
CVE-2024-9624: WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import

The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level acce...

Published
Dec 16, 2024
Patched Release
4.9.4
Affected Versions
Versions up to 4.9.3
Next Step
Update to 4.9.4 or newer if supported.
Open CVE-2024-9624 Report Open CVE Reference
Plugin High Patched: Yes
All Import Pro Plugin < 4.1.2 - SQL injection

The All Import Pro Plugin for WordPress is vulnerable to blind SQL Injection via the unknown parameter in versions up to, and including, 4.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p...

Published
Mar 19, 2020
Patched Release
4.1.2
Affected Versions
Versions before 4.1.2
Next Step
Update to 4.1.2 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
WP All Import Pro < 4.1.1 - Reflected Cross Site Scripting

The WP All Import Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published
Feb 19, 2020
Patched Release
4.1.1
Affected Versions
Versions before 4.1.1
Next Step
Update to 4.1.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
Import any XML or CSV File to WordPress <= 3.2.4 - Missing Authorization and Cross-Site Request Forgery Checks

The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 3.2.4 due to missing capability and nonce checks on various functions.

Published
Feb 19, 2020
Patched Release
4.1.2
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.2 or newer if supported.
Open Full Report
Plugin High Patched: Yes
Import any XML or CSV File to WordPress <= 3.2.4 - SQL Injection

The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, and including, 3.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

Published
Feb 19, 2020
Patched Release
4.1.2
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.2 or newer if supported.
Open Full Report
Plugin High Patched: Yes CVE-2015-9331
CVE-2015-9331: Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks

The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit.

Published
Aug 20, 2019
Patched Release
4.1.1
Affected Versions
Versions before 4.1.1
Next Step
Update to 4.1.1 or newer if supported.
Open CVE-2015-9331 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-9329
CVE-2015-9329: Import any XML or CSV File to WordPress <= 3.2.4 - Reflected Cross-Site Scripting

The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi...

Published
Feb 26, 2015
Patched Release
4.1.2
Affected Versions
Versions up to 4.1.1
Next Step
Update to 4.1.2 or newer if supported.
Open CVE-2015-9329 Report Open CVE Reference