Description
The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible folder, which allows any visitor to download files containing sensitive user personal information. The vulnerability is a direct result of storing context‑sensitive data without proper access restrictions, leading to disclosure of personally identifying information. Attackers can obtain these files simply by accessing the URL where the CSV is stored.

Affected Systems

Any WordPress site that runs the Magic Export & Import plugin version 1.1.x or earlier is affected. The plugin’s export mechanism has been altered in version 1.2.0 to secure the location of exported files, so only installations using older releases remain vulnerable.

Risk and Exploitability

Because the exported CSV files are served from a public endpoint, the attack vector is straightforward: an unauthenticated HTTP GET on the file path will return the data. The EPSS score is < 1% and the CVSS score is 5.3, and the vulnerability is not listed in the CISA KEV catalog, indicating that no large‑scale exploitation has yet been observed. Nevertheless, the lack of authentication or authorization checks makes exploitation trivial, and the risk of exposing personal data remains high whenever such files are present.

Generated by OpenCVE AI on May 4, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magic Export & Import plugin to version 1.2.0 or later, which secures the export directory
  • Delete any existing exported CSV files from the public directory on vulnerable installations
  • Configure the web server or WordPress to restrict access to the export folder, for example by adding a .htaccess rule or a dedicated rewrite rule that requires authentication

Generated by OpenCVE AI on May 4, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Magic Export & Import
Magic Export & Import magic Export & Import
Wordpress
Wordpress wordpress
Vendors & Products Magic Export & Import
Magic Export & Import magic Export & Import
Wordpress
Wordpress wordpress

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.
Title Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosure
References

Subscriptions

Magic Export & Import Magic Export & Import
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-04T12:53:55.367Z

Reserved: 2026-04-01T14:05:11.119Z

Link: CVE-2026-5335

cve-icon Vulnrichment

Updated: 2026-05-04T12:52:21.033Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T07:16:01.343

Modified: 2026-05-04T15:23:19.800

Link: CVE-2026-5335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:13Z

Weaknesses