Risk Free, Backed By Our 90-Day Money Back Guarantee
 - 
Read More
Lifetime Licenses Are Ending Soon, Get Yours Before They're Gone
 - 
Read More
Risk Free, Backed By Our 90-Day Money Back Guarantee
Pricing

You may have seen some references on our site to annual licensing or renewals.

All plugins currently come with a lifetime license, no matter what the site says.

We’re currently running tests before we make the switch to annual pricing. Check the Discounts tab to purchase our other plugins and get a lifetime license before they’re gone.

I Understand I Have a Lifetime License
Now is your last chance to buy a lifetime license before we switch to annual pricing. Existing licenses will be unaffected.
Read More
Now is your last chance to buy a lifetime license before we switch to annual pricing. Existing licenses will be unaffected.
Read More

WP All Import 4.1.1 - Mandatory Security Update

WP All Import 4.1.1 is a mandatory security update. It patches a severe vulnerability in WP All Import. You should upgrade immediately.

A special thanks goes to James Golovich (http://pritect.net/) and Ibrahim Raafat (https://twitter.com/RaafatSEC) for reporting the vulnerability to us!

At the time of this writing, we have not received any reports of sites hacked as a result of this vulnerability. To the best of our knowledge, this vulnerability has never been maliciously exploited in the wild.

What could a hacker do with this vulnerability?

In simple terms, a sophisticated attacker could completely takeover your WordPress installation by uploading and executing malicious PHP code on your server.

In more technical terms, 4.1.1 patches a severe vulnerability related to AJAX request validation in admin_init that can be exploited to run methods of the PMXI_Controller_Admin class even without being logged in as a site admin.

Is this fixed in the free version of WP All Import?

Yes, it's fixed in both the pro and free versions. It's fixed in pro version 4.1.1 and free version 3.2.4.

How do I install the update?

You can easily install it by upgrading from the Plugins page of your WordPress admin panel.

If you do not see the link to upgrade from within the WP admin panel, download and install the upgrade manually.

To manually upgrade, first, ensure you have a current backup of your site. Then:

1. Go to the Plugins page of your WP admin panel and de-activate and delete WP All Import from your site. You will not lose your settings/templates/previous imports.

2. Download the latest version from either http://www.wpallimport.com/portal (pro) or http://wordpress.org/plugins/wp-all-import/ (free).

3. Install the plugin manually: Here's how - from WPBeginner.com

I'm still using WP All Import 3.x (pro)

If you don't want to upgrade, and you've already done your imports with WP All Import and are no longer using it, just de-activate it. We patched the 3.4.x branch. If you're using 3.4.x e-mail [email protected] and we'll send you 3.4.4 which fixes the issue.

How long have you known about this?

On February 23rd at 3:36 PM Pacific Time the security researcher e-mailed our support desk and asked who he should contact about a security issue. We responded with information, and the security researcher sent us a proof of concept.

At 12:04 AM on February 24th we confirmed the exploit and sent the researcher a $500 bounty.

At 1:23 AM on February 26th we released versions 4.1.1 and 3.2.4 which patch the exploit.

At 1:46 AM on February 26th we sent an e-mail to our customer list notifying them to upgrade.

OK, I get that someone can execute any routine of PMXI_Controller_Admin - but how does that allow them to upload and execute PHP code?

In efforts to protect our customers, we're not going to actually disclose a proof of concept, although the security researcher may do so at a later date.

WP All Import is a popular plugin, so now that we've released the patch, any hacker can run a diff on 4.1.0 and 4.1.1 and see what we changed. So it is likely that an exploit for this vulnerability will eventually be made public.

Even if you've been proactive and disabled code execution in /wp-content/uploads/ (a good idea in general) or are on a managed host that does that for you - you should upgrade anyway.

While you're safe from the remote code execution vulnerability, attackers could still execute any routine of PMXI_Controller_Admin, which would allow them to view the contents of import logs, text files, and more.

What if my site was already hacked? Should I be scared?

This vulnerability has existed in WP All Import for a very long time. We've never heard a single report of it being exploited maliciously. It was brought to our attention by a security researcher, not a malicious hacker.

I upgraded and now whenever I try to import I get a "Security check" error.

Clear your browser cache.

Any questions? E-mail us at [email protected].

Want to report a security issue? Depending on the nature of the vulnerability, we'll potentially pay you a cash reward.

The best import export plugin for WordPress & WooCommerce.

Complete, granular control of your data with an easy to use drag & drop interface.
  • 90 Day Money Back Guarantee
  • Unlimited Installs
  • Lifetime Licence
  • Fast, World-Class Support
Get Started
90 Day Money Back Guarantee

Unlimited Installs.
World-Class Support. Money Back Guarantee.

Packages
Standalone
Import
Pro Package
$199
.00
/yr
Save $494, 71% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$693 If Purchased Individually
Buy Now
90 Day Money Back Guarantee
Import + Export Pro Package
$299
.00
/yr
Save $1087, 78% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$1386 If Purchased Individually
Buy Now
90 Day Money Back Guarantee
WooCommerce Import Package
$169
.00
/yr
Save $29, 15% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$198 If Purchased Individually
Buy Now
90 Day Money Back Guarantee
Lifetime License
$999
One-Time Payment
  • Import Pro + Export Pro
  • All Current Add-Ons
  • All Future Add-Ons
  • Lifetime Support
  • Lifetime Updates
  • No Renewal Fees
Buy Now
90 Day Money Back Guarantee
Import Standalone
$99
.00
/yr
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
Import + Export Standalone
$169
.00
/yr
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
Export Standalone
$99
.00
/yr
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
Packages
Standalone
Import
Pro Package
$16.58
per month, billed annually
Save $494/yr, 71% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$693/yr If Purchased Individually
Buy Now
90 Day Money Back Guarantee
Import + Export Pro Package
$24.92
per month, billed annually
Save $1087/yr, 78% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$1386/yr If Purchased Individually
Buy Now
90 Day Money Back Guarantee
WooCommerce Import Package
$14.08
per month, billed annually
Save $29/yr, 15% Discount
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
$198/yr If Purchased Individually
Buy Now
90 Day Money Back Guarantee
Lifetime License
$999
One-Time Payment
  • Import Pro + Export Pro
  • All Current Add-Ons
  • All Future Add-Ons
  • Lifetime Support
  • Lifetime Updates
  • No Renewal Fees
Buy Now
90 Day Money Back Guarantee
Import Standalone
$8.25
per month, billed annually
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
Import + Export Standalone
$14.08
per month, billed annually
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
Export Standalone
$8.25
per month, billed annually
  • Import Pro
Import Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
  • Export Pro
Export Add-Ons
  • Woo
  • ACF
  • Meta Box
  • JetEngine
  • Gravity Forms
  • Users
Buy Now
90 Day Money Back Guarantee
linkcross