Primary

Context

WP All Import Plugin Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the WP All Import plugin for WordPress, affecting all versions up to and including 3.9.6. The issue arises from the use of eval() on unsanitized user input in the pmxi_if function within helpers/functions.php. This vulnerability allows authenticated attackers with import capabilities, typically administrators, to inject and execute arbitrary PHP code on the server by using crafted import templates.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the vulnerable WordPress site is hosted.

Remediation

Users are advised to update the WP All Import plugin to version 4.0.0 or a newer patched version.

Added: Nov 13, 2025, 4:18 AM

Updated: Nov 13, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.5

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.5

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP All Import Plugin Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating