WP All Export < 1.4.15 – Unauthenticated Sensitive Information Exposure via PHP Type Juggling | CVE 2026-1582 | Plugin Vulnerabilities

Description

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.

Affects Plugins

Fixed in 1.4.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9a92c682-b8b3-4d23-bd84-97d7440ee525

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Vincent Theriault-Laine

Verified

No

WPVDB ID

702b47f2-60f6-4518-87b8-7177d73ccfbe

Timeline

Publicly Published

2026-02-17 (about 4 months ago)

Added

2026-02-18 (about 4 months ago)

Last Updated

2026-02-18 (about 4 months ago)

Other

Published

Title

Published

2023-12-07

Title

PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure

Published

2025-06-05

Title

Simple History < 5.8.2 - Admin+ Sensitive Information Exposure via Detective Mode

Published

2024-07-26

Title

Piotnet Addons For Elementor < 2.4.30 - Unauthenticated Sensitive Information Exposure

Published

2024-04-16

Title

HT Mega < 2.4.7 - Unauthenticated Order Data Disclosure

Published

2024-07-11

Title

HitPay Payment Gateway for WooCommerce < 4.1.4 - Information Exposure via Log Files