CVE-2025-11693
Sensitive Information Exposure in Export WP Page to Static HTML Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | export_wp_page_to_static_html_and_pdf | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Export WP Page to Static HTML & PDF plugin for WordPress, versions up to and including 4.3.4. It involves sensitive information exposure through publicly accessible cookies.txt files that contain authentication cookies. An unauthenticated attacker can access these cookies, which may have been injected into the log file if the site administrator triggered a backup using a specific user role such as 'administrator'.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes sensitive authentication cookies through publicly accessible cookies.txt files, which can lead to unauthorized access to protected information. Such exposure of sensitive data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access. Therefore, this vulnerability poses a significant risk to compliance with these standards by potentially allowing data breaches involving sensitive user authentication data. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for publicly exposed cookies.txt files that contain authentication cookies related to the Export WP Page to Static HTML & PDF plugin. You can scan your web server or backup directories for such files. For example, use commands like 'find /path/to/wordpress -name cookies.txt' to locate exposed cookie files. Additionally, monitoring HTTP requests for unauthorized access attempts to these files or unusual backup triggers by administrator roles can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Export WP Page to Static HTML & PDF plugin to version 5.0.0 or later, which contains the security patch addressing this vulnerability. Additionally, restrict public access to cookies.txt files and backup directories to prevent unauthorized exposure of authentication cookies. Implement proper file permissions and consider disabling or securing backup triggers that can be exploited by unauthorized users. Monitoring and sanitizing inputs, as well as ensuring secure handling of cookies and HTTP requests, are also recommended. [2]
How can this vulnerability impact me? :
The vulnerability can allow unauthenticated attackers to obtain authentication cookies, potentially leading to full compromise of the affected WordPress site. This can result in unauthorized access with administrator privileges, allowing attackers to view, modify, or delete sensitive data, disrupt site operations, or perform other malicious actions.