Platform
wordpress
Component
wp-all-import
Fixed in
4.0.1
CVE-2026-2830 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WP All Import plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts, potentially leading to account compromise and website defacement. The vulnerability impacts versions 0.0.0 through 4.0.0 of the plugin, and a fix is available in version 4.0.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'filepath' parameter. When a user clicks on this link, the injected script will execute in their browser within the context of the WordPress site. This can allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is particularly severe if the targeted user has administrative privileges, as the attacker could then gain control of the entire WordPress installation. This vulnerability highlights the importance of proper input sanitization and output escaping in web applications, especially those handling user-supplied data.
CVE-2026-2830 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The medium CVSS score indicates a moderate risk of exploitation, particularly given the widespread use of the WP All Import plugin.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2830 is to immediately upgrade the WP All Import plugin to version 4.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the 'filepath' parameter. Additionally, carefully review any user input related to file paths and ensure proper sanitization and escaping are applied. Monitor WordPress logs for unusual activity or attempts to exploit the vulnerability. After upgrading, confirm the fix by attempting to access a crafted URL with a malicious payload; the request should be blocked or sanitized.
Update to version 4.0.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2830 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WP All Import plugin for WordPress, allowing attackers to inject scripts via the 'filepath' parameter.
You are affected if you are using WP All Import versions 0.0.0 through 4.0.0. Upgrade to 4.0.1 or later to mitigate the risk.
Upgrade the WP All Import plugin to version 4.0.1 or later. Consider implementing a WAF rule to block malicious requests as a temporary measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official WP All Import website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.