CVE-2026-1582

Name of the Vulnerable Software and Affected Versions WP All Export plugin for WordPress versions prior to 1.4.15

Description The WP All Export plugin for WordPress is susceptible to exposure of sensitive information in versions up to and including 1.4.14. This occurs through the export download endpoint due to a PHP type juggling issue. The security token comparison utilizes loose comparison (==) instead of strict comparison (===). This allows unauthenticated attackers to bypass authentication using specific "magic hash" values when the expected MD5 hash prefix appears numeric. Successful exploitation enables the download of sensitive export files, potentially containing personally identifiable information (PII), business data, or database information. The vulnerable endpoint is '/export download'. The comparison involves a security token, and the issue stems from the use of loose comparison with the == operator.

Recommendations Update WP All Export plugin to version 1.4.15 or later.