CVE-2025-11693
published 2025-12-13CVE-2025-11693: The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.95%
77.8th percentile
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| recorp | export_wordpress_pages_to_static_html_pdf_static_site_export | <= 4.3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for publicly accessible cookie.txt file at the known export path; a 200 response containing 'wordpress', 'TRUE', 'FALSE', and 'HttpOnly' indicates exposed authentication cookies. ↗
- →Confirm plugin presence by checking README.txt; a 200 response containing 'Export WP Page' confirms the vulnerable plugin is installed. ↗
- →Use FOFA query to identify exposed WordPress instances running this plugin. ↗
- →Use Shodan query to identify exposed WordPress instances running this plugin. ↗
- ·Exploitation requires the site administrator to have previously triggered a backup using a privileged user role (e.g., 'administrator'), which causes authentication cookies to be written into the exposed log/cookie file. ↗
- ·The vulnerability affects all versions up to and including 4.3.4 of the Export WP Page to Static HTML & PDF plugin. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
nuclei·CVSS 9.8
CVE-2025-11693 [CRITICAL] Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
Export WP Page to Static HTML & PDF WordPress plugin <= 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit requires site administrator to trigger backup with specific user role.
Template:
id: CVE-2025-11693
info:
name: Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure
author: 0x_Akoko
severity: critical
description: |
Export WP Page to Static HTML & PDF WordPress plugin <= 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit req
2025-12-13
Published