Vulnerabilities and security researches forwp-all-export wp-all-export

Jun 06, 2024

CVE, Research URL: CVE-2023-5882
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Dec 19, 2023
Research Description: The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.
Affected versions: max 1.4.1.
Status: vulnerable

CVE, Research URL: CVE-2023-5886
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Dec 19, 2023
Research Description: The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
Affected versions: max 1.4.1.
Status: vulnerable

CVE, Research URL: CVE-2023-4724
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Dec 19, 2023
Research Description: The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server
Affected versions: max 1.4.1.
Status: vulnerable

CVE, Research URL: CVE-2022-1800
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Jun 13, 2022
Research Description: The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
Affected versions: max 1.3.6.
Status: vulnerable

CVE, Research URL: CVE-2021-24708
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Nov 08, 2021
Research Description: The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Affected versions: max 1.3.1.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-1582
Home page URL: Security reports for Export any WordPress data to XML/CSV
Application: Export any WordPress data to XML/CSV
Date: Feb 18, 2026
Research Description: The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
Affected versions: max 1.4.15.
Status: vulnerable