Arbitrary File Deletion in Export User Data Plugin for WordPress
CVE-2026-12240

8HIGH

Key Information:

Vendor: WordPress
Status: Export User Data
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-12240?

The Export User Data plugin for WordPress is susceptible to arbitrary file deletion due to a failure in validating file paths in the unserialize function. This flaw affects all versions up to and including 2.2.6. Authenticated attackers with subscriber-level access can exploit this vulnerability to delete any file on the server. Such deletion can lead to serious consequences, including potential remote code execution, particularly if sensitive configuration files like wp-config.php are targeted. The security risk escalates when an administrator unwittingly triggers a user data export while a user has crafted a malicious serialized XLSXWriter object payload as their display name.

Affected Version(s)

Export User Data 0 <= 2.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/export-user-da...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 15, 2026

Credit

Webbernaut

CVE-2026-12240 Data

JSON