cleantalk
Vulnerabilities and Security Researches

Export any WordPress data to XML/CSV, CVE-2026-1582

CVE, Research URL

CVE-2026-1582

Home page URL

Security reports for Export any WordPress data to XML/CSV

Application

Export any WordPress data to XML/CSV

Published on
Feb 18, 2026
Research Description
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
Affected versions
max 1.4.15.
Status
vulnerable
Previous vulnerability researches
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2025-58604) , Sep 05, 2025
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2025-47541) , May 13, 2025
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2026-23541) , Feb 27, 2026
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2025-11967) , Dec 11, 2025
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2026-1447) , Apr 14, 2026
New vulnerability
wpForo Forum (CVE-2026-1581) , Apr 15, 2026
wpForo Forum (CVE-2026-0910) , Apr 15, 2026
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2026-0550) , Apr 15, 2026
EmailKit -WooCommerce Email Customizer (CVE-2026-1925) , Apr 15, 2026
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2026-1651) , Apr 15, 2026