Unknown Export All Urls vulnerabilities

5 known vulnerabilities affecting unknown/export_all_urls.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2026-2696MEDIUMCVSS 5.3fixed in 5.12026-04-01
CVE-2026-2696 [MEDIUM] CWE-200 CVE-2026-2696: The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (inclu The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive
cvelistv5nvd
CVE-2023-3118MEDIUMCVSS 6.1fixed in 4.62023-07-10
CVE-2023-3118 [MEDIUM] CWE-79 CVE-2023-3118: The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outp The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
cvelistv5nvd
CVE-2022-2638MEDIUMCVSS 6.5≥ 4.4, < 4.42022-08-29
CVE-2022-2638 [MEDIUM] CWE-73 CVE-2022-2638: The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server
cvelistv5nvd
CVE-2022-0914MEDIUMCVSS 6.5≥ 4.3, < 4.32022-04-11
CVE-2022-0914 [MEDIUM] CWE-352 CVE-2022-0914: The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, whi The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example
cvelistv5nvd
CVE-2022-0892MEDIUMCVSS 6.1≥ 4.2, < 4.22022-04-11
CVE-2022-0892 [MEDIUM] CWE-79 CVE-2022-0892: The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting
cvelistv5nvd