Executive Summary

CVE-2026-5335 is a vulnerability in the Magic Export & Import WordPress plugin versions below 1.2.0. It occurs because the plugin stores exported CSV files containing sensitive user information in a publicly accessible location. These CSV files are saved at predictable URLs, allowing any visitor, including unauthenticated attackers, to access and download these files without any restrictions.

This vulnerability leads to sensitive data disclosure, exposing personally identifiable information (PII) of users. It is classified under OWASP Top 10 category A3 (Sensitive Data Exposure) and CWE-200.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact by allowing unauthorized individuals to access sensitive user data stored in exported CSV files. Such exposure can lead to privacy breaches, identity theft, and misuse of personal information.

Since the data is accessible without authentication, attackers can easily download and exploit this information, potentially damaging the reputation of the affected website and causing harm to its users.

The vulnerability has a high severity level with a CVSS score of 7.5, indicating that it poses a serious risk if not addressed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of publicly accessible CSV files stored by the Magic Export & Import WordPress plugin at predictable URLs. Specifically, you can attempt to access URLs following the pattern: https://[target]/wp-content/plugins/magic-export-import/export/magic-export-posts-post-[domain].csv to see if sensitive user data is exposed without authentication.

To detect this on your system or network, you can use commands such as curl or wget to try to download these CSV files and verify if they are accessible.

• curl -I https://[target]/wp-content/plugins/magic-export-import/export/magic-export-posts-post-[domain].csv
• wget --spider https://[target]/wp-content/plugins/magic-export-import/export/magic-export-posts-post-[domain].csv
• curl https://[target]/wp-content/plugins/magic-export-import/export/magic-export-posts-post-[domain].csv -o output.csv

If these commands return the CSV file or HTTP status 200, it indicates the vulnerability is present and sensitive data may be exposed.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Magic Export & Import WordPress plugin to version 1.2.0 or later, where the issue has been fixed by the developer.

Until the update can be applied, restrict access to the export directory or the specific CSV files by implementing proper access controls, such as using .htaccess rules or web server configuration to prevent public access.

Additionally, review and remove any sensitive exported CSV files that are publicly accessible to prevent further data leakage.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive personally identifiable information (PII) through publicly accessible CSV files. Such exposure of sensitive user data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and security of personal data.

The issue is classified as a sensitive data disclosure vulnerability, which aligns with OWASP Top 10 category A3 (Sensitive Data Exposure) and CWE-200, highlighting the risk of unauthorized data access.

Organizations using affected versions of the Magic Export & Import WordPress plugin may face compliance risks and potential legal consequences if sensitive user information is leaked due to this vulnerability.

Useful 0 Not Useful 0