CVE-2026-2830
Received Received - Intake
Reflected XSS in WP All Import Plugin Allows Script Injection

Publication date: 2026-03-06

Last updated on: 2026-03-06

Assigner: Wordfence

Description
The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the β€˜filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2830
EUVD
EUVD-2026-10004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_all_import wp_all_import to 4.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP All Import plugin for WordPress, up to version 4.0.0, has a vulnerability known as Reflected Cross-Site Scripting (XSS) via the 'filepath' parameter.

This vulnerability arises because the plugin does not properly sanitize or escape input provided through the 'filepath' parameter.

As a result, an unauthenticated attacker can inject arbitrary web scripts into pages that will execute if a user is tricked into clicking a malicious link.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of a user's browser session.

  • Steal sensitive information such as cookies or session tokens.
  • Perform actions on behalf of the user without their consent.
  • Redirect users to malicious websites or display fraudulent content.

Because the attack requires user interaction (clicking a crafted link), the impact depends on successful social engineering.

The CVSS score of 6.1 indicates a medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and partial impact on confidentiality and integrity.

Compliance Impact

I don't know

Detection Guidance

The vulnerability is a Reflected Cross-Site Scripting (XSS) via the 'filepath' parameter in the WP All Import plugin for WordPress. Detection involves identifying attempts to inject malicious scripts through this parameter.

To detect this vulnerability on your system or network, you can monitor HTTP requests for suspicious or unexpected input in the 'filepath' parameter, especially those containing script tags or encoded JavaScript.

  • Use web server access logs to search for requests with 'filepath' parameter containing suspicious payloads, e.g., using grep:
  • grep -i 'filepath=.*<script' /var/log/apache2/access.log
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on reflected XSS patterns targeting the 'filepath' parameter.
  • If you have access to the WordPress site, you can test manually by crafting URLs with the 'filepath' parameter containing script payloads and observing if the script executes.
Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to update the WP All Import plugin to version 4.0.1 or later, where the vulnerability CVE-2026-2830 has been fixed.'}, {'type': 'paragraph', 'content': "This update includes security improvements that fix the reflected XSS vulnerability by properly sanitizing and escaping the 'filepath' parameter."}, {'type': 'list_item', 'content': 'Backup your WordPress site and database before applying the update.'}, {'type': 'list_item', 'content': 'Update the WP All Import plugin to version 4.0.1 or higher via the WordPress admin dashboard or manually by replacing plugin files.'}, {'type': 'list_item', 'content': "If immediate update is not possible, consider applying web application firewall (WAF) rules to block or sanitize requests containing suspicious 'filepath' parameter inputs."}, {'type': 'list_item', 'content': 'Monitor your site for suspicious activity and unauthorized script execution attempts.'}] [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart