CVE-2026-2696

CWE-200Information Exposure4 documents4 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 88.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Unknown Export ALL Urls
Timeline
PublishedApr 1

Description

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

CVEListV5unknown/export_all_urls< 5.1

🔴Vulnerability Details

2
CVEList
Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure2026-04-01
GHSA
GHSA-j528-c652-pjv3: The Export All URLs WordPress plugin before 52026-04-01

🕵️Threat Intelligence

1
Wiz
CVE-2026-2696 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-2696 (MEDIUM CVSS 5.3) | The Export All URLs WordPress plugi | cvebase.io