Security Flaw in Export All URLs Plugin for WordPress
CVE-2026-2696
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 1 April 2026
Badges
What is CVE-2026-2696?
The Export All URLs plugin for WordPress, prior to version 5.1, has a critical flaw that allows unauthenticated users to access sensitive information. This is due to its generation of CSV filenames containing post URLs, including private posts, in a predictable pattern based on a random six-digit number. These exported files are stored in the publicly accessible wp-content/uploads/ directory, making them susceptible to brute-force attacks. Attackers can exploit this vulnerability to retrieve sensitive data by systematically guessing the filename structure.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Export All URLs 0 < 5.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.