The Export All Posts, Products, Orders, Refunds & Users plugin contains a Cross‑Site Request Forgery flaw that arises from missing or incorrect nonce validation in the parseData function. This flaw allows an unauthenticated attacker to force a site administrator to export sensitive information—including user records, email addresses, password hashes and WooCommerce orders—to a file on the server that the attacker controls. Because the data can be written to an arbitrary path chosen by the attacker, the vulnerability leads to full disclosure of user and transactional data, compromising confidentiality and potentially enabling further credential‑reuse attacks.

WordPress sites that have installed the Smackcoders Export All Posts, Products, Orders, Refunds & Users plugin in any version through 2.19 are affected. The vulnerability applies to all releases up to and including 2.19. Administrators of such sites should verify whether they are running a vulnerable version and consider upgrading.

The CVSS v3.1 base score of 6.5 indicates a medium‑severity issue, and the EPSS score being below 1% indicates a low probability of exploitation. Because the vulnerability requires a forged request to be sent while a legitimate administrator is authenticated, the attack typically relies on social engineering or malicious links presented to an admin. The vulnerability is not listed in CISA KEV, so no widespread exploitation campaigns have yet been reported. Nonetheless, any unpatched instance remains at risk if an attacker can coerce an admin into executing a crafted export request.