CVE-2025-13606: Critical CSRF Vulnerability in Export All Posts Plugin Exposes Sensitive WordPress Data

by

Overview

A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-13606, has been discovered in the “Export All Posts, Products, Orders, Refunds & Users” WordPress plugin. This vulnerability affects all versions up to and including 2.19. It allows unauthenticated attackers to potentially export sensitive information from a WordPress site by exploiting a missing or incorrect nonce validation on the parseData function. This could lead to the exposure of user data, email addresses, password hashes, WooCommerce data, and other sensitive information.

Technical Details

The vulnerability stems from the lack of proper CSRF protection within the parseData function of the plugin. A missing or incorrect nonce validation means an attacker can craft a malicious request that, when triggered by an authenticated administrator (e.g., by clicking a crafted link), executes the export functionality. Because the administrator is already authenticated, the server processes the forged request as legitimate, allowing the attacker to export data to a location they control on the server.

The exported data can include sensitive user information, potentially leading to data breaches and other security incidents.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 6.5, indicating a MEDIUM severity. This score reflects the potential impact and exploitability of the vulnerability.

  • CVSS Score: 6.5
  • Severity: MEDIUM

Possible Impact

Successful exploitation of this CSRF vulnerability could have severe consequences:

  • Data Breach: Exposure of sensitive user data, including email addresses, usernames, and potentially password hashes.
  • WooCommerce Data Compromise: Leakage of order details, customer information, and product data.
  • Reputation Damage: Loss of trust and credibility due to a security breach.
  • Compliance Violations: Potential violation of data protection regulations (e.g., GDPR) if personal data is compromised.

Mitigation and Patch Steps

The recommended course of action is to update the “Export All Posts, Products, Orders, Refunds & Users” plugin to the latest version. Ensure you are running a version greater than 2.19 which includes the fix for this vulnerability.

  1. Update the Plugin: Navigate to the Plugins section in your WordPress admin dashboard and update the “Export All Posts, Products, Orders, Refunds & Users” plugin to the latest version.
  2. Verify the Update: After updating, confirm that the plugin version is higher than 2.19.
  3. Monitor Activity: Keep a close eye on your website’s logs for any suspicious activity or unauthorized data exports.

References

WordPress Plugin Trac Changeset
Wordfence Threat Intelligence Report

Leave a Comment