CVE-2025-13606

Name of the Vulnerable Software and Affected Versions Export All Posts, Products, Orders, Refunds & Users plugin for WordPress versions prior to 2.20

Description The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is susceptible to Cross-Site Request Forgery. This is because of inadequate or absent nonce validation within the parseData function. Successful exploitation allows unauthenticated attackers to export sensitive information, including user data, email addresses, password hashes, and WooCommerce data. The attacker can specify an attacker-controlled file path on the server for the exported data, requiring a site administrator to perform an action, such as clicking a malicious link, to complete the attack.

Recommendations Update the Export All Posts, Products, Orders, Refunds & Users plugin to version 2.20 or later.