CVE-2026-2830 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress. This vulnerability exists in all versions up to and including 4.0.0 due to insufficient sanitization and escaping of the 'filepath' parameter. An attacker can craft a malicious URL containing a payload in the 'filepath' parameter, which when visited by an unsuspecting user, causes arbitrary JavaScript code execution within the context of the affected website. This can lead to theft of authentication cookies, session tokens, or other sensitive information, as well as potential manipulation of the webpage content. The vulnerability is exploitable remotely over the network without authentication but requires user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, indicating a medium severity level, with attack vector as network, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk especially to sites that rely on this plugin for importing data. The reflected XSS nature means the attack is transient and requires social engineering to succeed. The vulnerability highlights the importance of proper input validation and output encoding in web applications, particularly plugins that handle user-supplied parameters.

The primary impact of CVE-2026-2830 is on the confidentiality and integrity of affected WordPress sites using the WP All Import plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. This can facilitate further attacks such as privilege escalation or persistent compromise if combined with other vulnerabilities. Although availability is not directly affected, the reputational damage and trust loss from successful attacks can be significant. Since the vulnerability requires user interaction, the attack surface depends on the ability of attackers to lure users into clicking malicious links, often via phishing campaigns. Organizations with high-traffic WordPress sites, especially those handling sensitive user data or e-commerce transactions, face increased risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially as attackers often weaponize such vulnerabilities after disclosure. The broad usage of WordPress globally means the potential impact spans many sectors including retail, media, education, and government websites.

To mitigate CVE-2026-2830, organizations should first check for updates from the WP All Import plugin vendor and apply any available patches promptly once released. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'filepath' parameter. Input validation and output encoding should be enforced at the application level to sanitize user-supplied data. Additionally, security teams should educate users about the risks of clicking unsolicited links and implement anti-phishing measures such as email filtering and user awareness training. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the execution of unauthorized scripts. Monitoring web server logs for suspicious requests containing unusual 'filepath' parameter values can aid in early detection. Finally, consider restricting plugin usage to trusted administrators and minimizing exposure of vulnerable endpoints by limiting public access where possible.