WordPress · Export All Urls · CVE-2026-2696
Name of the Vulnerable Software and Affected Versions
Export All URLs WordPress plugin versions prior to 5.1
Description
The Export All URLs WordPress plugin versions before 5.1 creates CSV filenames with predictable patterns based on post URLs, including those for private posts. These files are saved in the publicly accessible 'wp-content/uploads/' directory, allowing unauthenticated users to potentially access sensitive data by brute-forcing the filenames.
Recommendations
Update the Export All URLs WordPress plugin to version 5.1 or later.