CVE-2026-2696
Insecure Direct Object Reference in Export All URLs Plugin
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| export_all_urls | export_all_urls | to 5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-2696 affects the WordPress plugin "Export All URLs" versions prior to 5.1. This plugin generates CSV files containing URLs of posts, including private posts, and names these files using a predictable pattern combined with a random 6-digit number.
These CSV files are stored in the publicly accessible directory wp-content/uploads/. Because the filename pattern is predictable and the files are publicly accessible, any unauthenticated user can brute-force the filenames by trying different 6-digit numbers to find and access these CSV files.
Accessing these files exposes sensitive data, specifically URLs of private posts, without requiring any authentication.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive data disclosure by allowing unauthenticated users to access CSV files containing URLs of private posts.
Since these files are stored publicly and can be accessed through brute-force attacks on the filename, attackers can obtain sensitive information that should be restricted.
This exposure can compromise the confidentiality of private content on the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the CSV export files stored in the publicly accessible wp-content/uploads/ directory using a brute-force approach on the 6-digit random number in the filename.
A proof of concept involves generating a CSV export as an admin, then using a script or commands to send HTTP requests to URLs formatted as: http://example.com/wp-content/uploads/YYYY/MM/export-all-urls-<6-digit>.CSV.
When a request returns HTTP status 200, it indicates that the corresponding CSV file is accessible and contains sensitive URLs.
- Use curl or wget in a loop to brute-force the 6-digit number in the filename.
- Example command snippet using curl in bash:
- for i in $(seq -w 000000 999999); do curl -o /dev/null -s -w "%{http_code} %{url_effective}\n" http://example.com/wp-content/uploads/YYYY/MM/export-all-urls-$i.CSV; done
- Check for HTTP 200 responses to identify accessible files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Export All URLs WordPress plugin to version 5.1 or later, where this vulnerability has been fixed.
Until the update can be applied, restrict public access to the wp-content/uploads/ directory or implement access controls to prevent unauthenticated users from accessing exported CSV files.
Additionally, consider removing any existing exported CSV files that may contain sensitive data from the publicly accessible directories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to sensitive data disclosure by allowing unauthenticated users to access CSV files containing URLs of private posts. Such exposure of sensitive information can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
Specifically, the predictable filename pattern and public storage location enable brute-force attacks to retrieve sensitive URLs, violating principles of data confidentiality and access control mandated by these standards.