CVE-2026-2696 - Vulnerability Details

- Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure

Description

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

Published: 2026-04-01

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Export All URLs WordPress plugin prior to version 5.1 writes exported CSV files that include URLs for all posts, even private ones. The filenames are generated with an apparently random 6‑digit number and are stored in the publicly addressable wp‑content/uploads directory. Because the file names can be guessed or brute‑forced, an unauthenticated user can download these files and read sensitive data that should not be exposed. This vulnerability is a form of sensitive data exposure, classified as CWE‑200.

Affected Systems

WordPress sites that have installed the Export All URLs plugin and are running any version older than 5.1. Site administrators should review whether the plugin is in use, and if so, determine the current version they are running.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity impact, but the EPSS score of less than 1 % shows that the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known public exploits. Nevertheless, the attack vector is unauthenticated file download: an attacker simply needs to guess the 6‑digit filename to retrieve the exported CSV. Even with low probability, the potential exposure of private post URLs warrants proactive remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Export All URLs

unaffected

Version	Status	Constraints
`0`	affected	< 5.1

No data.

Vendor Product Confidence Versions

Export All Urls

80%

Version	Status	Scheme	Platform
`[0,5.1)`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Export All URLs plugin to version 5.1 or later, which eliminates the vulnerable file‑generation behavior.
After updating, delete any existing CSV files residing in wp‑content/uploads that may have been exposed.
Restrict write permissions to the uploads directory to prevent accidental exposure of future export files.
Verify that no other plugins or scripts expose sensitive data via publicly accessible directories.
Keep WordPress core, themes, and plugins regularly updated to reduce the risk of similar vulnerabilities.

Generated by OpenCVE AI on April 2, 2026 at 03:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://wpscan.com/vulnerability/55d627c1-ad05-4cd1-ae7b-932d84c19313/

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Export All Urls Export All Urls export All Urls Wordpress Wordpress wordpress
Vendors & Products		Export All Urls Export All Urls export All Urls Wordpress Wordpress wordpress

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.
Title		Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure
References		https://wpscan.com/vulnerability/55d627c1-ad05-4cd1-ae7b-932d84c19313/

Subscriptions

Export All Urls Export All Urls

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-04-01T06:00:08.236Z

Updated: 2026-04-01T14:02:38.139Z

Reserved: 2026-02-18T14:32:38.179Z

Link: CVE-2026-2696

Vulnrichment

Updated: 2026-04-01T14:02:34.765Z

NVD

Status : Deferred

Published: 2026-04-01T06:16:15.380

Modified: 2026-04-15T15:05:47.827

Link: CVE-2026-2696

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T08:58:46Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object