Sensitive Information Exposure in Import and Export Users and Customers Plugin for WordPress
CVE-2026-15026
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15026?
The Import and Export Users and Customers plugin for WordPress has a vulnerability that allows authenticated attackers with subscriber-level access and higher to exploit the email_template_selected feature. This exposure enables unauthorized users to access the post_title and raw post_content of any post, irrespective of its status (draft, private, future, trash, password-protected) or type, including custom post types. The underlying issue is rooted in an exposed codection-security nonce, which can be viewed as inline JavaScript on any wp-admin page when ?post_type=acui_email_template is modified in the URL. As a result, this vulnerability poses significant risks to the confidentiality of sensitive data managed within WordPress sites.
Affected Version(s)
Import and export users and customers 0 <= 2.4.0