CVE-2023-5886

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-4146 documents6 sources

Severity

8.8HIGH

EPSS

0.7%

top 26.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Export ANY Wordpress Data TO Xml/csv Unknown WP ALL Export PRO Soflyy Export ANY Wordpress Data TO Xml\/csv +1 more

Timeline

PublishedDec 18

Latest updateDec 24

Description

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5unknown/export_any_wordpress_data_to_xml/csv< 1.4.0

▶NVDsoflyy/export_any_wordpress_data_to_xml\/csv< 1.4.1

▶NVDsoflyy/wp_all_export< 1.8.6

▶CVEListV5unknown/wp_all_export_pro< 1.8.6

🔴Vulnerability Details

OSV

tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site↗2025-12-24

▶

CVEList

WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF↗2023-12-18

▶

GHSA

GHSA-qgv4-xfrj-hvp7: The Export any WordPress data to XML/CSV WordPress plugin before 1↗2023-12-18

▶

📋Vendor Advisories

Red Hat

kernel: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site↗2025-12-24

▶