Description
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
Published: 2026-02-18
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the WP All Export plugin arises from a PHP type juggling flaw in the security token comparison. The code compares the provided token against a stored MD5 hash prefix using loose equality (==) instead of strict comparison (===). When the expected MD5 prefix matches a numeric‑looking pattern (^0e\d+$), an attacker can supply a magic hash value that passes the comparison. This bypasses authentication checks and allows unauthenticated users to invoke the export download endpoint, retrieving sensitive export files that may contain personally identifiable information, business data, or database contents. The weakness is classified as CWE-200, indicating a potential for unauthorized disclosure of information.

Affected Systems

This flaw affects any WordPress site using the soflyy WP All Export plugin, specifically versions 1.4.14 and earlier. Users running the plugin in these versions are at risk of unauthorized data exfiltration through the export download endpoint.

Risk and Exploitability

The CVSS score is 3.7, signifying low severity, and the EPSS score is below 1%, indicating a very low probability of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Adversaries can exploit it remotely by sending a crafted HTTP request to the download endpoint with a magic hash value; no credentials are required. While the probability of exploitation remains low, the potential impact is the exposure of sensitive information.

Generated by OpenCVE AI on April 15, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP All Export to version 1.4.15 or later, which replaces the loose comparison with a strict comparison in the token validation logic.
  • Disable the export download endpoint for unauthenticated users via plugin settings or a security plugin, ensuring only authorized users can access export files.
  • If an upgrade is not feasible, remove the WP All Export plugin or replace it with a more secure export solution to eliminate the vulnerable endpoint.

Generated by OpenCVE AI on April 15, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Soflyy
Soflyy wp All Export – Drag & Drop Export To Any Custom Csv, Xml & Excel
Wordpress
Wordpress wordpress
Vendors & Products Soflyy
Soflyy wp All Export – Drag & Drop Export To Any Custom Csv, Xml & Excel
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
Description The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
Title WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Soflyy Wp All Export – Drag & Drop Export To Any Custom Csv, Xml & Excel
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:05.713Z

Reserved: 2026-01-29T00:43:49.262Z

Link: CVE-2026-1582

cve-icon Vulnrichment

Updated: 2026-02-18T20:23:26.609Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T13:16:20.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses