WP All Import 4.1.2 is a precautionary security update.

We've also added precautionary security measures to our add-ons, so it is recommended you update any add-ons you have installed to the latest versions as well.

These security updates address vulnerabilities in WP All Import related to blind SQL injection, accessing WP All Import methods without being logged in as admin, and reflected XSS.

This updated is recommended, but is not mandatory or urgent.

A special thanks goes Kacper Szurek for reporting the vulnerabilities to us!

What could a hacker do with the blind SQL injection vulnerability?

Only a site admin could exploit the SQL injection vulnerability. We patched it as a precautionary measure. A hacker could only exploit it if he already gained admin access to your website.

What could a hacker do with the XSS vulnerability?

A hacker would have to trick you into visiting a malicious URL when you are logged in to your WordPress admin panel. It could not be exploited on a mass scale. A hacker would have to specifically target you, and trick you into visiting the malicious URL.

What could a hacker do with the "accessing WP All Import methods" vulnerability?

Non-admin users can execute certain WP All Import/add-on methods. We haven't yet seen any evidence that these vulnerabilities could be used to exploit anything. But we could be wrong, which is why we patched them.

Are these issues fixed in the free version of WP All Import?

Yes. These issues are fixed in pro version 4.1.2 and free version 3.2.5.

How do I install the update?

You can easily install it by upgrading from the Plugins page of your WordPress admin panel.

If you do not see the link to upgrade from within the WP admin panel, download and install the upgrade manually.

If you are using 4.0.9, simply enter your license key on the All Import -> Settings page. Then you will see the upgrade.

To manually upgrade, first, ensure you have a current backup of your site. Then:

1. Go to the Plugins page of your WP admin panel and de-activate and delete WP All Import from your site. You will not lose your settings/templates/previous imports.

2. Download the latest version from either http://www.wpallimport.com/portal (pro) or http://wordpress.org/plugins/wp-all-import/ (free).

3. Install the plugin manually: Here's how - from WPBeginner.com

I'm still using WP All Import 3.4.x (pro)

E-mail us and we'll send you a patched version of 3.4.x.

Any questions? E-mail us at [email protected].

Want to report a security issue? Depending on the nature of the vulnerability, we'll potentially pay you a cash reward.