Description
The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-03-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS) exploiting the 'filepath' parameter, allowing injection of arbitrary scripts via a malicious link that can be clicked by any site visitor.
Action: Immediate Patch
AI Analysis

Impact

The plugin processes a 'filepath' parameter from user input without proper sanitization or escaping, enabling a reflected cross‑site scripting (XSS) vulnerability. An attacker can craft a malicious URL that, when a victim clicks it, injects JavaScript into the page to steal credentials, hijack the session, or perform other client‑side attacks. The flaw does not require authentication and is triggered by a simple link click.

Affected Systems

WordPress sites that have the WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin installed, versions 4.0.0 and earlier. The vulnerability is present in all prior releases, so any site using a legacy version is at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog, meaning no publicly known exploit has yet been confirmed. Attackers would need to lure a user into clicking a crafted link, so the risk level is moderate but mitigated by user awareness and the need for the target to be a WordPress visitor.

Generated by OpenCVE AI on April 15, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP All Import plugin to a version newer than 4.0.0, which contains the necessary input sanitization and output escaping changes.
  • If an upgrade is not immediately feasible, restrict access to the import interface so that only administrators can use it, for example by disabling the plugin for non‑admin roles or adding authentication checks on the 'filepath' requests.
  • Review other input handling in the site for potential XSS issues and apply general PHP input sanitization best practices, ensuring all dynamic data is properly escaped before rendering.

Generated by OpenCVE AI on April 15, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpallimport
Wpallimport wp All Import – Drag & Drop Import For Csv, Xml, Excel & Google Sheets
Vendors & Products Wordpress
Wordpress wordpress
Wpallimport
Wpallimport wp All Import – Drag & Drop Import For Csv, Xml, Excel & Google Sheets

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath'
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpallimport Wp All Import – Drag & Drop Import For Csv, Xml, Excel & Google Sheets
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:40.105Z

Reserved: 2026-02-19T20:40:38.726Z

Link: CVE-2026-2830

cve-icon Vulnrichment

Updated: 2026-03-09T15:28:29.677Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T08:16:27.607

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses