We've just released new versions of WP All Import and WP All Export. This round of updates was focused on making WP All Export even better and streamlining WP All Import integration.

Auto Generated Exports

WP All Export makes it really easy to create a customized CSV or XML file from data in WordPress. But what if you don't care how the data is structured in the XML or CSV? What if you just want to move your WooCommerce products from one site to another?

Now you can auto generate your export settings. We'll put together a nice and pretty export file with all of the necessary data. We're going to roll this out to as many data types as possible, but for right now we can only auto generate exports for WooCommerce Products.

So, now you've created your export file in a couple clicks. Since WP All Export created this file, WP All Import should know how to import it without you telling it what to do. This brings us to the next big new feature.

Import Bundles

WP All Export and WP All Import now support Bundles - a zip file containing your data file and the import settings for WP All Import. So you can auto generate your export data, download the Bundle, and then import all of your products somewhere else using WP All Import.

Since all of the import settings are already there, you won't need to configure anything in WP All Import - we've already set everything up for you.

All exports now have the option to download the Bundle, and you can manually create your own by simply zipping your import template and data together.

Better Order Exports

Last time we added support for exporting WooCommerce Orders, but it didn't support any custom data added by WooCommerce Extensions. Now you can export any data associated with your WooCommerce Orders.

Export Files Moved

The export file name is now going to be the friendly name of your export, which can be edited in on the 'Edit Options' page in WP All Export. We've also moved the location of your exported files, they now live in wp-content/uploads/wpallexport/exports.

We promise not to move them or rename again.

Updates All Around

All in all, we've updated almost all of our Pro plugins. For the add-ons, the updates were mostly focused on bug fixes. Here are the latest versions of everything that's been updated:

Help Make WP All Export Better

We are hard at work making WP All Export even better. If you have any feedback at all we really want to hear it. Things WP All Export does that it shouldn’t, things it doesn’t do that it should, things you love, things you hate, things you use it for, things you wish you could use it for – anything.

We’d love to hear about your experiences with WP All Export. Just send an email to support@wpallimport.com.

Making WP All Export even better is one of our main goals these days, and we're happy to announce that the 1.0.2 update has been released. Read on to learn about the new features in 1.0.2.

Easy Export Filters

Want to export all WooCommerce orders over $100? Want to export all of the green shirts from your WooCommerce store? Want to export all posts added in 2014? Well, now you can with a new, simple to use interface on the 'New Export' page.


Export WordPress Users

WP All Export now supports exporting WordPress users and all associated user meta. It is also fully compatible with the new export filter functions.


Better WooCommerce Order Exports

You can now export all order items, fees, discounts, shipping, and customer data associated with your WooCommerce Orders. We've simplified the entire process to make setting up complicated exports really, really easy.


Help Make WP All Export Better

We are hard at work making WP All Export even better. If you have any feedback at all we really want to hear it. Things WP All Export does that it shouldn't, things it doesn't do that it should, things you love, things you hate, things you use it for, things you wish you could use it for - anything. Just send us an email to support@wpallimport.com and mention WP All Export in the subject.

We'd love to hear about your experiences with WP All Export.

WP All Import 4.1.2 is a precautionary security update.

We've also added precautionary security measures to our add-ons, so it is recommended you update any add-ons you have installed to the latest versions as well.

These security updates address vulnerabilities in WP All Import related to blind SQL injection, accessing WP All Import methods without being logged in as admin, and reflected XSS.

This updated is recommended, but is not mandatory or urgent.

A special thanks goes Kacper Szurek for reporting the vulnerabilities to us!

What could a hacker do with the blind SQL injection vulnerability?

Only a site admin could exploit the SQL injection vulnerability. We patched it as a precautionary measure. A hacker could only exploit it if he already gained admin access to your website.

What could a hacker do with the XSS vulnerability?

A hacker would have to trick you into visiting a malicious URL when you are logged in to your WordPress admin panel. It could not be exploited on a mass scale. A hacker would have to specifically target you, and trick you into visiting the malicious URL.

What could a hacker do with the "accessing WP All Import methods" vulnerability?

Non-admin users can execute certain WP All Import/add-on methods. We haven't yet seen any evidence that these vulnerabilities could be used to exploit anything. But we could be wrong, which is why we patched them.

Are these issues fixed in the free version of WP All Import?

Yes. These issues are fixed in pro version 4.1.2 and free version 3.2.5.

How do I install the update?

You can easily install it by upgrading from the Plugins page of your WordPress admin panel.

If you do not see the link to upgrade from within the WP admin panel, download and install the upgrade manually.

If you are using 4.0.9, simply enter your license key on the All Import -> Settings page. Then you will see the upgrade.

To manually upgrade, first, ensure you have a current backup of your site. Then:

1. Go to the Plugins page of your WP admin panel and de-activate and delete WP All Import from your site. You will not lose your settings/templates/previous imports.

2. Download the latest version from either http://www.wpallimport.com/portal (pro) or http://wordpress.org/plugins/wp-all-import/ (free).

3. Install the plugin manually: Here's how - from WPBeginner.com

I'm still using WP All Import 3.4.x (pro)

E-mail us and we'll send you a patched version of 3.4.x.

Any questions? E-mail us at support@wpallimport.com.

Want to report a security issue? Depending on the nature of the vulnerability, we'll potentially pay you a cash reward.

Two weeks ago we released WP All Import 4.1.1, a critical security update, and e-mailed all of our customers notifying them of the importance of upgrading immediately.

Just over a week later, three customers that did not upgrade to 4.1.1 reported that they were hacked.

The three hacks all followed the same pattern - a file named cache.php was uploaded to a folder inside /wp-content/uploads/wpallimport/uploads/ by exploiting the security hole in WP All Import that we patched with 4.1.1.

If you haven't upgraded to 4.1.1 (or 3.4.4), you should do so immediately. You should also check all of the subfolders inside /wp-content/uploads/wpallimport/uploads/ for a file named cache.php. If you find one, you were hacked.

WP All Import 4.1.1 is a mandatory security update. It patches a severe vulnerability in WP All Import. You should upgrade immediately.

A special thanks goes to James Golovich (http://pritect.net/) and Ibrahim Raafat (https://twitter.com/RaafatSEC) for reporting the vulnerability to us!

At the time of this writing, we have not received any reports of sites hacked as a result of this vulnerability. To the best of our knowledge, this vulnerability has never been maliciously exploited in the wild.

What could a hacker do with this vulnerability?

In simple terms, a sophisticated attacker could completely takeover your WordPress installation by uploading and executing malicious PHP code on your server.

In more technical terms, 4.1.1 patches a severe vulnerability related to AJAX request validation in admin_init that can be exploited to run methods of the PMXI_Controller_Admin class even without being logged in as a site admin.

Is this fixed in the free version of WP All Import?

Yes, it's fixed in both the pro and free versions. It's fixed in pro version 4.1.1 and free version 3.2.4.

How do I install the update?

You can easily install it by upgrading from the Plugins page of your WordPress admin panel.

If you do not see the link to upgrade from within the WP admin panel, download and install the upgrade manually.

To manually upgrade, first, ensure you have a current backup of your site. Then:

1. Go to the Plugins page of your WP admin panel and de-activate and delete WP All Import from your site. You will not lose your settings/templates/previous imports.

2. Download the latest version from either http://www.wpallimport.com/portal (pro) or http://wordpress.org/plugins/wp-all-import/ (free).

3. Install the plugin manually: Here's how - from WPBeginner.com

I'm still using WP All Import 3.x (pro)

If you don't want to upgrade, and you've already done your imports with WP All Import and are no longer using it, just de-activate it. We patched the 3.4.x branch. If you're using 3.4.x e-mail support@wpallimport.com and we'll send you 3.4.4 which fixes the issue.

How long have you known about this?

On February 23rd at 3:36 PM Pacific Time the security researcher e-mailed our support desk and asked who he should contact about a security issue. We responded with information, and the security researcher sent us a proof of concept.

At 12:04 AM on February 24th we confirmed the exploit and sent the researcher a $500 bounty.

At 1:23 AM on February 26th we released versions 4.1.1 and 3.2.4 which patch the exploit.

At 1:46 AM on February 26th we sent an e-mail to our customer list notifying them to upgrade.

OK, I get that someone can execute any routine of PMXI_Controller_Admin - but how does that allow them to upload and execute PHP code?

In efforts to protect our customers, we're not going to actually disclose a proof of concept, although the security researcher may do so at a later date.

WP All Import is a popular plugin, so now that we've released the patch, any hacker can run a diff on 4.1.0 and 4.1.1 and see what we changed. So it is likely that an exploit for this vulnerability will eventually be made public.

Even if you've been proactive and disabled code execution in /wp-content/uploads/ (a good idea in general) or are on a managed host that does that for you - you should upgrade anyway.

While you're safe from the remote code execution vulnerability, attackers could still execute any routine of PMXI_Controller_Admin, which would allow them to view the contents of import logs, text files, and more.

What if my site was already hacked? Should I be scared?

This vulnerability has existed in WP All Import for a very long time. We've never heard a single report of it being exploited maliciously. It was brought to our attention by a security researcher, not a malicious hacker.

I upgraded and now whenever I try to import I get a "Security check" error.

Clear your browser cache.

Any questions? E-mail us at support@wpallimport.com.

Want to report a security issue? Depending on the nature of the vulnerability, we'll potentially pay you a cash reward.

WP All Import 4.0.3 is the 3rd maintenance release since 4.0 that fixes bugs present in 4.0.

You don't need to upgrade to 4.0.3 unless you are experiencing a bug that is fixed in the list below.

Here are the changes from 4.0 to 4.0.3, including the changes in 4.0.1 and 4.0.2:

* enhanced uploading of large files
* enhanced and optimized auto-detection of the root element
* enhanced taxonomies hierarchy settings
* enhanced file type auto-detection
* modified "existing Custom Field values" dropdown to only show a maximum of 10 values
* fixed significant bug that stopped the database schema from being upgraded from the 3.x structure to the 4.x structure on some web hosts, resulting in error messages when executing imports after upgrading from 3.4.x to 4.0 on certain web hosts
* fixed bug where wrong number of records would be displayed after changing an import source file
* fixed bug where the maximum log storage setting didn't apply to the database, resulting in too many logs being stored in the database
* fixed bug related to cron execution when "do not create new records" option is enabled
* fixed bug related to unlinking attachment sources when posts are updated/deleted
* fixed bug related to special chars in taxonomies/categories mapping

We're extremely proud to announce the release of WP All Import 4.0. WP All Import has a brand-new user interface and many new features making it more powerful and easier to use.

WP All Import has a brand new look and has been dramatically simplified and enhanced. There's less complexity, but more features. It's also much more obvious where things are - options you might want to use are easy to find, not hidden in an endless sea of other options, and it's harder to overlook important settings. Preview buttons in strategic places help you ensure your import is going to work the way you expect before you actually run it.


[vcex_spacing size="30px"]

Documentation & video tutorials.

WP All Import 4.0 comes with all-new documentation and video tutorials. Documentation with many examples is available for complex aspects of the plugin, and video tutorials show WP All Import in action. WP All Import can do things you never imagined, so head on over to the docs and learn if WP All Import can help you with projects you never considered it a candidate for.

[vcex_spacing size="30px"]
Enhanced reliability - "Import XML – Error" solved

WP All Import 4.0 is now better able to handle extremely large imports on unreliable, low quality web hosting providers. If you got the generic "Import XML – Error" message with 3.x, try 4.0. WP All Import v4 tries to automatically recover when web hosting providers stop it from running imports to completion. WP All Import has an iterative import process that processes your file piece by piece. When a host terminates an import process, WP All Import v4 will detect this and try again, but with a smaller piece of your file.

Numerous optimization have also been made to the code to make it run faster, especially when performing complex imports.

[vcex_spacing size="30px"]

Existing customers upgrade for free.

You can download 4.0 and install it on a new site from the customer portal. To upgrade a 3.x site to 4.0, please read the upgrade instructions.

[vcex_spacing size="30px"]

Brand new website.

Our new website gives a much clearer overview of WP All Import and our add-ons, what they can do, and how to use them. If you're curious if you could be getting more out of WP All Import, check out our product tour and all new documentation & tutorials section.

Click here for detailed information on exactly what's new in 4.0!

WP All Import 4.0 doesn't just look better - it is better in every way.

Importing complex XML & CSV data to WordPress has never been easier.

Brand New User Interface

The user interface has been consolidated and simplified. So even though there are more features, WP All Import actually feels much simpler. Instead of getting lost in a sea of options, the features you need are right at your fingertips when you need them, and out of sight when you don't.


[vcex_spacing size="30px"]

Know Your Images Will Import

A redesigned interface for importing images ensures that you choose the right options to get your images where you need them, and a Preview button shows you exactly where WP All Import will fetch your images from and confirm the operation will be successful - all before you run the import.


[vcex_spacing size="30px"]

Plugin & Theme Fields Are Detected Automatically

Install a new theme or plugin, create an example post, and then click "Auto-Detect" in the Custom Fields section of WP All Import. The all-new Custom Fields section automatically detects the field names used by your plugins and themes, shows you all of the values that currently exist for those fields, adds the ability to map data in your file if your plugin or theme requires the value of a field be different than the way your XML or CSV file stores it, and adds better support for serialized fields.

With WP All Import 4.0 there's no more wasted time guessing field names, asking the theme authors for support, or looking at code. WP All Import figures out the field names and their possible values for you, automatically.

custom fields auto-detection

[vcex_spacing size="30px"]

Taxonomies - Better In Every Way

Easily import hierarchical taxonomies no matter how they are stored in your file - plain-English options tell you exactly what settings you need to choose depending on the way your data is structured.

And wpai_util_map is a thing of the past. The all-new mapping lets you map and translate taxonomies in your file to different taxonomies on your site using a simple, visual interface.


[vcex_spacing size="30px"]

Edit Everything About Your Existing Imports

A new Import Settings page makes it possible to change your XPath and Unique Key after you've already set your import. You can also change your import file source - if the URL to your XML or CSV file changes, you can easily enter the new URL on the Import Settings page, or you can change an import from using an existing file to using a URL as its data source.


[vcex_spacing size="30px"]

Security Enhancements

All files you upload to WP All Import are now stored in folders with randomly generated filenames, making it very difficult for an attacker to find the files you are importing by guessing their URL.


[vcex_spacing size="30px"]

Speed Optimizations & Enhanced Reliability On Bad Hosts

Numerous optimizations have been made to WP All Import's code base, making it run faster than ever before. If you got the generic "Import XML - Error" message with WP All Import 3.x, try your import again with WP All Import v4.

Not all web hosting providers are created equal, and many budget web hosting providers will stop scripts from using lots of server resources, but WP All Import's new auto-recovery from termination feature can often get around arbitrary limits on script execution times imposed by web hosting providers.

WP All Import splits up your import file into pieces, and then processes each piece individually. If a piece is too big and causes your web hosting provider to terminate WP All Import before it can finish processing the import, WP All Import automatically tries again with a smaller piece.

[vcex_spacing size="30px"]

Support for JSON Files

Now you can import JSON files just like you would import a CSV or XML file. All the same WP All Import features are available when importing a JSON file as are when importing an XML file.

[vcex_spacing size="30px"]

Better Logging

Every time a cron script runs, WP All Import logs exactly what happened, so you can confirm that your cron imports are working correctly. It also makes it much easier to set up a cron import for the first time and know it is working correctly.

WP All Import's import logs are also drastically improved and include much more detail. An all-new History Logs page show you every time your import has been run, and multiple import history logs can be stored (default of 5, you can increase it on the Settings page) so you can see the details of what happened as far back as you want.


[vcex_spacing size="30px"]

Get Alternate XPaths When Dragging & Dropping

Now it's possible to get XPaths that select your element by its relation to other elements, instead of just by its position in the file. This is really useful when importing post meta from WXR files. The first Custom Field in the WXR may not always be the field with the name you need. So instead of relying on order, you can rely on something else like the name associated with it. Just right click on an element's text to see all possible XPaths.


[vcex_spacing size="30px"]

WooCommerce Add-On - Better Than Ever

Preview your prices before you import your products to ensure they are correct. Import simple & variable products at the same time with no hassle. Mark up or mark down prices in your file by a fixed amount or percentage, or convert between currencies, all in a visual interface.

Video tutorials for importing variable products and syncing stock levels are also available.


[vcex_spacing size="30px"]

Advanced Custom Fields Add-On - More Powerful And Flexible

Importing to relationship fields can now be done by slug. Additional options have been added for importing data to repeater fields, making it possible to import repeating data from any XML or CSV file, no matter the structure of the repeating data.


[vcex_spacing size="30px"]

Cleaner, Easier To Use, And More Complete

Tons of tiny enhancements have been added throughout the plugin. The contextual help tooltips are better. Many small bug fixes and user interface tweaks have been made. The Manage Imports page makes more sense. In Step 1, choose whether to import your XML or CSV file to new items, or whether to import data in it to existing items. Options and templates are saved together. When creating an import for the first time, you are forced to choose a Unique Key - so you'll never forget again and accidentally run your import with a unique key that isn't really unique. And much more. WP All Import 4 makes WP All Import cleaner, simpler, faster, and more powerful.


[vcex_spacing size="30px"]

You should use 4.0 on all new sites you install WP All Import on. If you are installing WP All Import for the first time on a WordPress installation, use WP All Import 4.0.

You do not have to upgrade your existing sites. Upgrading is optional.

There are no known security issues in the latest 3.x release.

If we find out about a security issue  in 3.x down the road, we will alert you via e-mail. As long as you didn't unsubscribe to our e-mails, you'll be notified if there is a security issue in 3.x that requires an upgrade to 4.x. One note about security: 4.0 has enhanced security for uploaded/imported files. In 3.x, these files can be publicly accessible if someone is able to guess the URL to the file - just like any other file stored in your /wp-content/ folder. In 4.0, we added a feature that randomizes the directory names the files are stored in, making it much less likely that someone would be able to guess.

Technical support will continue to be provided to 3.x users. We are happy to continue answering questions about how to use 3.x. If you need a bug fix though, you'll probably have to upgrade to 4.0, unless we opt to release a patch for 3.x - which we will only do for significant bugs.

If you have a site running 3.x that you have already set up and now it's just running on auto-pilot - there's no reason to upgrade. For example, maybe you set up a site for a client a while back, and it's running 3.x and working fine. There's no reason to upgrade that site to 4.0. Unless the client needs some new 4.0 only features.

We will not be continuing to update the 3.x branch to be compatible with changes to WordPress, nor will be updating the 3.x versions of our add-ons to be compatible with changes to WooCommerce or Advanced Custom Fields. If changes are made to WordPress, Advanced Custom Fields, or WooCommerce that break 3.x, you'll then need to upgrade to 4.0. However, it is highly unlikely WooCommerce, WordPress, or Advanced Custom Fields will make changes to the way they store data that are significant enough it will cause WP All Import to stop working.

If you are using the WPML add-on for WP All Import, don't upgrade to 4.0. We've discontinued the WPML add-on. You can still use it in 3.x, but it is no longer for sale and not compatible with 4.0.

If you decide to upgrade to 4.0, here's how.

Read this post for instructions on upgrading a 3.4.x install to 4.0.

Just because you can upgrade doesn't mean that you should upgrade. Read the "Should I upgrade to 4.0?" post before deciding whether to upgrade.

Before upgrading, please perform a complete backup of your site.

Then, follow the instructions below to upgrade to 4.0.

1. If you have files in /wp-content/plugins/wpallimport/upload, move them to /wp-content/uploads/wpallimport/files/. “wpallimport” and “files” won’t exist yet – so create them manually, and chmod them to 0777. If you don't have files in this folder, you can ignore this step.

2. Remove WP All Import 3.x and all add-ons from your site by de-activating and deleting them from the Plugins page of your WordPress admin.

3. Install 4.0 and any add-ons you need the normal way – download the .zip files from the customer portal, and install them just as you would install any other WordPress plugin.

4. If anything in the plugin user interface doesn't look right, clear your browser cache and/or refresh the page.

That's it - you're now running 4.0!

Please double check your import settings and templates (Edit Options and Import Settings links on the Manage Imports page) and verify they are correct before re-running an import or allowing a cron import to run.