cbcvebase.
CVE-2025-11693
published 2025-12-13

CVE-2025-11693: The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.95%
77.8th percentile
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'

Affected

1 ranges
VendorProductVersion rangeFixed in
recorpexport_wordpress_pages_to_static_html_pdf_static_site_export<= 4.3.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/export-wp-page-to-static-html/README.txt
path/wp-content/uploads/exported_html_files/cookie.txt
filenamecookie.txt
  • Probe for publicly accessible cookie.txt file at the known export path; a 200 response containing 'wordpress', 'TRUE', 'FALSE', and 'HttpOnly' indicates exposed authentication cookies.
  • Confirm plugin presence by checking README.txt; a 200 response containing 'Export WP Page' confirms the vulnerable plugin is installed.
  • Use FOFA query to identify exposed WordPress instances running this plugin.
  • Use Shodan query to identify exposed WordPress instances running this plugin.
  • ·Exploitation requires the site administrator to have previously triggered a backup using a privileged user role (e.g., 'administrator'), which causes authentication cookies to be written into the exposed log/cookie file.
  • ·The vulnerability affects all versions up to and including 4.3.4 of the Export WP Page to Static HTML & PDF plugin.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.