Cross-Site Request Forgery in Export All Posts Plugin for WordPress
CVE-2025-13606

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Export All Posts, Products, Orders, Refunds & Users
Vendor: CVE Published:; 2 December 2025

What is CVE-2025-13606?

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress has a security flaw due to inadequate nonce validation within the parseData function. This vulnerability allows attackers to exploit the plugin via crafted requests, potentially resulting in the unauthorized export of sensitive data such as user information, email addresses, and WooCommerce transaction details. The flaw affects all versions up to 2.19, enabling unauthenticated users to manipulate site administrators into executing harmful actions, which could compromise the integrity and confidentiality of stored information.

Affected Version(s)

Export All Posts, Products, Orders, Refunds & Users * <= 2.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3405694/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2025
Vulnerability Reserved
Nov 24, 2025

Credit

lucky_buddy

JSON