The Export All Post Meta plugin contains a missing authorization flaw that allows any authenticated WordPress user to trigger the plugin’s export functionality without the expected role checks. Because the plugin’s endpoints are not properly constrained by access‑control lists, users can retrieve all post metadata, potentially exposing sensitive data embedded in custom fields, such as authentication tokens or personal information. The weakness is an unauthorized access issue classified as CWE‑862.

WordPress sites that use the brainvireinfo Export All Post Meta plugin version 1.2.1 or earlier are affected. No other vendors or products are listed as impacted.

The CVSS score of 4.3 indicates a moderate overall risk, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. Based on the description, it is inferred that an attacker must be logged into the site; once authenticated, any user with an admin or contributor role can invoke the export endpoint. The vulnerability is not yet listed in the CISA KEV catalog, and no public exploits have been reported. The lack of proper role checks makes it an efficient vector for a determined attacker to compromise confidentiality.