Home

Description

The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.

PUBLISHED Reserved 2026-04-01 | Published 2026-05-04 | Updated 2026-05-04 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Default status
unaffected

Any version before 1.2.0
affected

Credits

Hoang Phuong finder

WPScan coordinator

References

wpscan.com/...rability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/ exploit vdb-entry technical-description

cve.org (CVE-2026-5335)

nvd.nist.gov (CVE-2026-5335)

Download JSON