CVE-2026-2830
Reflected XSS in WP All Import Plugin Allows Script Injection
Publication date: 2026-03-06
Last updated on: 2026-03-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_all_import | wp_all_import | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP All Import plugin for WordPress, up to version 4.0.0, has a vulnerability known as Reflected Cross-Site Scripting (XSS) via the 'filepath' parameter.
This vulnerability arises because the plugin does not properly sanitize or escape input provided through the 'filepath' parameter.
As a result, an unauthenticated attacker can inject arbitrary web scripts into pages that will execute if a user is tricked into clicking a malicious link.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of a user's browser session.
- Steal sensitive information such as cookies or session tokens.
- Perform actions on behalf of the user without their consent.
- Redirect users to malicious websites or display fraudulent content.
Because the attack requires user interaction (clicking a crafted link), the impact depends on successful social engineering.
The CVSS score of 6.1 indicates a medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and partial impact on confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Reflected Cross-Site Scripting (XSS) via the 'filepath' parameter in the WP All Import plugin for WordPress. Detection involves identifying attempts to inject malicious scripts through this parameter.
To detect this vulnerability on your system or network, you can monitor HTTP requests for suspicious or unexpected input in the 'filepath' parameter, especially those containing script tags or encoded JavaScript.
- Use web server access logs to search for requests with 'filepath' parameter containing suspicious payloads, e.g., using grep:
- grep -i 'filepath=.*<script' /var/log/apache2/access.log
- Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on reflected XSS patterns targeting the 'filepath' parameter.
- If you have access to the WordPress site, you can test manually by crafting URLs with the 'filepath' parameter containing script payloads and observing if the script executes.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to update the WP All Import plugin to version 4.0.1 or later, where the vulnerability CVE-2026-2830 has been fixed.'}, {'type': 'paragraph', 'content': "This update includes security improvements that fix the reflected XSS vulnerability by properly sanitizing and escaping the 'filepath' parameter."}, {'type': 'list_item', 'content': 'Backup your WordPress site and database before applying the update.'}, {'type': 'list_item', 'content': 'Update the WP All Import plugin to version 4.0.1 or higher via the WordPress admin dashboard or manually by replacing plugin files.'}, {'type': 'list_item', 'content': "If immediate update is not possible, consider applying web application firewall (WAF) rules to block or sanitize requests containing suspicious 'filepath' parameter inputs."}, {'type': 'list_item', 'content': 'Monitor your site for suspicious activity and unauthorized script execution attempts.'}] [3]