CVE-2026-7558
Received Received - Intake

Unauthorized Data Export in Token of Trust WordPress Plugin

Vulnerability report for CVE-2026-7558, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_table() function being registered on the WordPress 'init' hook, which fires for all requests, including those from unauthenticated visitors, without any capability check. This makes it possible for unauthenticated attackers to download a CSV file containing sensitive WooCommerce donation data, including order dates, order IDs, charitable donation amounts, and admin-only order edit URLs, simply by visiting any page on the site with the 'tot_export_table' GET parameter set to a numeric value (0–3).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
token_of_trust age_verification_and_identity_verification to 4.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Age Verification & Identity Verification by Token of Trust plugin for WordPress has a vulnerability in all versions up to and including 4.0.2. This vulnerability arises because the handle_export_table() function is triggered on the WordPress 'init' hook for every request, including those from unauthenticated users, without any capability checks.

As a result, an unauthenticated attacker can download a CSV file containing sensitive WooCommerce donation data simply by visiting any page on the site with the 'tot_export_table' GET parameter set to a numeric value between 0 and 3.

  • Sensitive data exposed includes order dates, order IDs, charitable donation amounts, and admin-only order edit URLs.
Impact Analysis

This vulnerability allows unauthenticated attackers to access sensitive WooCommerce donation data without authorization.

  • Exposure of order dates and IDs could lead to privacy violations.
  • Disclosure of charitable donation amounts may compromise donor confidentiality.
  • Access to admin-only order edit URLs could facilitate further unauthorized actions or exploitation.
Detection Guidance

This vulnerability can be detected by checking if your WordPress site with the Age Verification & Identity Verification by Token of Trust plugin allows unauthenticated access to sensitive data via the 'tot_export_table' GET parameter.

You can test this by sending an HTTP request to any page on your site with the 'tot_export_table' parameter set to a numeric value between 0 and 3 and observing if a CSV file containing sensitive WooCommerce donation data is returned.

  • Use curl to test for the vulnerability: curl -i "https://your-wordpress-site.com/?tot_export_table=1"
  • Check your web server logs for requests containing the 'tot_export_table' parameter from unauthenticated IP addresses.
Mitigation Strategies

Immediate mitigation steps include updating the Age Verification & Identity Verification by Token of Trust plugin to a version later than 4.0.2 where the vulnerability is fixed.

If an update is not immediately available, restrict access to the export functionality by disabling or removing the 'tot_export_table' GET parameter handling or by adding authentication and capability checks to the handle_export_table() function.

Additionally, consider implementing web application firewall (WAF) rules to block requests containing the 'tot_export_table' parameter from unauthenticated users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart