WordPress importer and attached file

WordPress project have put a lot of effort to prevent meddling with _wp_attached_file meta value. Part of this effort was put into wordpress-importer plugin as part of the core, but… Few versions back there was possibility to bypass those restrictions with \ WP “magic”, but there are few more techniques.

Eli5 PoC

class-wp-import.php method is_valid_meta_key we have the following:

function is_valid_meta_key( $key ) {
		// skip attachment metadata since we'll regenerate it from scratch
		// skip _edit_lock as not relevant for import
		if ( in_array( $key, array( '_wp_attached_file', '_wp_attachment_metadata', '_edit_lock' ) ) )
			return false;
		return $key;


add_filter( 'import_post_meta_key', array( $this, 'is_valid_meta_key' ) );

Do you see _wp_attachment_backup_sizes blocked in the code? Why is that important?

Few facts

  • There are reliable attacks against export-import process from low privileged accounts


  • Don’t allow wordpress-importer to fall back on the class WXR_Parser_Regex
  • Do not assign import user capabilities on WP related projects
  • Add  _wp_attachment_backup_sizes in the blocked list in the wordpress-importer code