The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | Export All URLs | unaffected |
|
No data.
No data.
No data.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 01 Apr 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files. | |
| Title | Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-04-01T06:00:08.236Z
Reserved: 2026-02-18T14:32:38.179Z
Link: CVE-2026-2696
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-04-01T06:16:15.380
Modified: 2026-04-01T06:16:15.380
Link: CVE-2026-2696
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.