Description
The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via arbitrary file deletion
Action: Apply Patch
AI Analysis

Impact

The hiWeb Export Posts plugin for WordPress suffers from a CSRF flaw in its tool-dashboard-history.php file caused by missing or incorrect nonce validation. An attacker can forge a request that causes the site administrator to delete any file on the server, including critical files such as wp-config.php, which can then allow remote code execution. This flaw gives unauthenticated attackers the ability to alter filesystem contents without needing to authenticate themselves.

Affected Systems

WordPress sites that have installed the den‑media hiWeb Export Posts plugin in version 0.9.0.0 or earlier are affected. Any publisher using these plugin versions is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability with a high impact and a need for rapid mitigation. The EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the wild and the vulnerability is not currently listed in the CISA KEV catalog. Exploitability requires only a forged HTTP request and may be delivered via social engineering; no user authentication is required, making the attack surface broad for any site with an administrator who could be tricked into clicking a malicious link.

Generated by OpenCVE AI on April 21, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the hiWeb Export Posts plugin to a version newer than 0.9.0.0 once an update is available.
  • If an upgrade is not possible, deactivate or uninstall the plugin from the WordPress installation.
  • Consider deploying a web application firewall that blocks CSRF requests to the tool-dashboard-history.php endpoint, or add a custom rule that requires a valid nonce for any file deletion action.

Generated by OpenCVE AI on April 21, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22508 The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title hiWeb Export Posts <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:36.066Z

Reserved: 2025-07-14T14:46:21.081Z

Link: CVE-2025-7640

cve-icon Vulnrichment

Updated: 2025-07-24T13:15:28.384Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:28.137

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses