Magic Export & Import < 1.2.0 – Unauthenticated PII Disclosure | CVE 2026-5335

Description

The plugin stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.

Proof of Concept

An unauthenticated attacker can access exported data by
  requesting the predictable URL:
  https://[target]/wp-content/plugins/magic-export-import/export/
  magic-export-posts-post-[domain].csv

Affects Plugins

magic-export-import

Fixed in 1.2.0

References

CVE

CVE-2026-5335

YouTube Video

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Hoang Phuong

Submitter

Hoang Phuong

Verified

Yes

WPVDB ID

ed6f00de-bbae-4e89-9d0e-ded0d70e781c

Timeline

Publicly Published

2026-04-13 (about 21 days ago)

Added

2026-04-13 (about 20 days ago)

Last Updated

2026-04-13 (about 20 days ago)

Other

Published

Title

Published

2024-04-26

Title

Contact Form 7 Database Addon – CFDB7 < 1.2.7 - Unauthenticated Sensitive Information Exposure

Published

2026-01-16

Title

WP Hotel Booking < 2.2.8 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

Published

2024-06-20

Title

WP 2FA < 2.6.4 - Unauthenticated Information Exposure via Log File

Published

2025-02-11

Title

Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin < 1.0.6 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Published

2024-11-28

Title

Content Audit Exporter <= 1.1 - Unauthenticated Sensitive Information Exposure