Name: User Import with meta – WP Ultimate CSV Importer Add-on
Rating: 3
Author: Smackcoders Inc.,

Issues Details

167 issues found in latest scan

	Code	Message	Location	Category
ERROR	`WordPress.WP.AlternativeFunctions.unlink_unlink`	unlink() is discouraged. Use wp_delete_file() to delete a file.	`importExtensions/MediaHandling.php:53:5`	Plugin Repo
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $data_array['user_pass'] used in $wpdb->get_results("UPDATE {$wpdb->prefix}users SET user_pass = '{$data_array['user_pass']}' WHERE ID = $retID")\n$data_array['user_pass'] assigned unsafely at line 85:\n $data_array['user_pass']=wp_hash_password($data_array['user_pass'])\n$data_array['user_pass'] assigned unsafely at line 74:\n $data_array['user_pass'] = wp_generate_password( 12, false )\n$retID assigned unsafely at line 95:\n $retID = wp_insert_user($data_array)\n$data_array assigned unsafely at line 69:\n $data_array = apply_filters('smack_csv_modify_userdata_filter', $data_array)	`importExtensions/UsersImport.php:98:12`	Security
ERROR	`WordPress.WP.AlternativeFunctions.parse_url_parse_url`	parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.	`importExtensions/MediaHandling.php:63:10`	Plugin Repo
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $image_title used in $wpdb->get_results("SELECT ID FROM {$wpdb->prefix}posts WHERE post_type = 'attachment' AND guid LIKE '%$image_title%'")\n$image_title assigned unsafely at line 71:\n $image_title=preg_replace('/\\\\.[^.\\\\s]{3,4}$/', '', $img_url)\n$img_url assigned unsafely at line 62:\n $img_url = urldecode($encodedurl)\n$encodedurl assigned unsafely at line 61:\n $encodedurl = urlencode($img_url)	`importExtensions/MediaHandling.php:83:29`	Security
ERROR	`WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound`	Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "uci_init".	`import-users.php:102:24`	Plugin Repo
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $post_id used in $wpdb->get_var("SELECT post_title FROM {$wpdb->prefix}posts WHERE ID = '{$post_id}' AND post_status != 'trash'")\n$post_id used without escaping.	`importExtensions/MediaHandling.php:402:24`	Security
ERROR	`WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound`	Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$userimp_class".	`import-users.php:114:1`	Plugin Repo
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $attach_id used in $wpdb->get_results("SELECT ID FROM {$wpdb->prefix}posts WHERE ID ='{$attach_id}' AND post_title ='image-failed' AND post_type = 'attachment' AND guid LIKE '%$image_title%'")\n$attach_id assigned unsafely at line 91:\n $attach_id = $attachment_id[0]['ID']\n$image_title assigned unsafely at line 71:\n $image_title=preg_replace('/\\\\.[^.\\\\s]{3,4}$/', '', $img_url)\n$attachment_id[0]['ID'] used without escaping.\n$img_url assigned unsafely at line 62:\n $img_url = urldecode($encodedurl)\n$encodedurl assigned unsafely at line 61:\n $encodedurl = urlencode($img_url)	`importExtensions/MediaHandling.php:92:25`	Security
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $fimg_name used in $wpdb->get_var("SELECT ID FROM ".$wpdb->prefix."posts WHERE post_type = 'attachment' AND guid LIKE '%$fimg_name'")\n$fimg_name assigned unsafely at line 231:\n $fimg_name = preg_replace('/[^a-zA-Z0-9._\\-\\s]/', '', $fimg_name)\n$fimg_name assigned unsafely at line 230:\n $fimg_name = str_replace(' ', '-', trim($fimg_name))\n$fimg_name assigned unsafely at line 229:\n $fimg_name = @basename($f_img)\n$f_img assigned unsafely at line 210:\n $f_img = $media_dir['url'].'/'.$f_img\n$media_dir['url'] used without escaping.	`importExtensions/MediaHandling.php:233:28`	Security
ERROR	`PluginCheck.Security.DirectDB.UnescapedDBParameter`	Unescaped parameter $post_id used in $wpdb->get_results("SELECT post_title,post_id,image_shortcode,media_id,original_image FROM {$wpdb->prefix}ultimate_csv_importer_shortcode_manager WHERE image_shortcode ='Featured_image_' AND post_id = '{$post_id}' AND original_image = '{$acf_csv_name}' ")\n$post_id used without escaping.\n$acf_csv_name used without escaping.	`importExtensions/MediaHandling.php:403:24`	Security

167 total row(s)


04.12.2025, 12:33:10	11s	61	34	133
14.11.2025, 04:34:47	11s	61	35	131

User Import with meta – WP Ultimate CSV Importer Add-on

Security141

Plugin Repository15

General6

importExtensions/MediaHandling.php76 issues in this fileTotal: 76Errors: 19Warnings: 57

importExtensions/UsersImport.php38 issues in this fileTotal: 38Errors: 2Warnings: 36

importExtensions/ImportHelpers.php24 issues in this fileTotal: 24Errors: 1Warnings: 23

controllers/SendPassword.php8 issues in this fileTotal: 8Warnings: 8

importExtensions/BuddyImport.php6 issues in this fileTotal: 6Errors: 2Warnings: 4

Readme.txt5 issues in this fileTotal: 5Errors: 1Warnings: 4

import-users.php4 issues in this fileTotal: 4Errors: 3Warnings: 1

SmackImportUserInstall.php3 issues in this fileTotal: 3Errors: 3

importExtensions/BSIImport.php1 issue in this fileTotal: 1Errors: 1

importExtensions/MultiroleImport.php1 issue in this fileTotal: 1Errors: 1