Cross-Site Request Forgery in Export All Posts Plugin for WordPress
CVE-2025-13606

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Export All Posts, Products, Orders, Refunds & Users
Vendor
CVE Published:
2 December 2025

What is CVE-2025-13606?

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress has a security flaw due to inadequate nonce validation within the parseData function. This vulnerability allows attackers to exploit the plugin via crafted requests, potentially resulting in the unauthorized export of sensitive data such as user information, email addresses, and WooCommerce transaction details. The flaw affects all versions up to 2.19, enabling unauthenticated users to manipulate site administrators into executing harmful actions, which could compromise the integrity and confidentiality of stored information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Export All Posts, Products, Orders, Refunds & Users * <= 2.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3405694/

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lucky_buddy
JSON
.