CVE-2026-2696 | THREATINT

Description

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

PUBLISHED Reserved 2026-02-18 | Published 2026-04-01 | Updated 2026-04-01 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Default status

unaffected

Any version before 5.1

affected

Credits

Mohammad Aghdasi finder

WPScan coordinator

References

wpscan.com/...rability/55d627c1-ad05-4cd1-ae7b-932d84c19313/ exploit vdb-entry technical-description

cve.org (CVE-2026-2696)

nvd.nist.gov (CVE-2026-2696)

Download JSON