Medium severity5.3NVD Advisory· Published Apr 1, 2026· Updated Apr 15, 2026

CVE-2026-2696

Description

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Export All URLs WordPress plugin before 5.1 stores exported CSV files with predictable filenames in the public uploads directory, allowing unauthenticated attackers to brute-force and access sensitive data including private post URLs.

The Export All URLs WordPress plugin before version 5.1 generates CSV filenames containing post URLs, including private posts, using a predictable pattern based on a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory, making them accessible to anyone who can guess the filename [1].

An unauthenticated attacker can brute-force the 6-digit numeric component of the filename to retrieve exported CSV files. Since the filenames are stored in a world-readable directory, no authentication or prior knowledge is required beyond the ability to send HTTP requests to the target site [1].

Successful exploitation exposes the URLs of all posts, including private posts, which may contain sensitive information. This constitutes an unauthorized disclosure of data that should not be accessible to unauthenticated users [1].

The vulnerability has been fixed in version 5.1 of the plugin. Users are strongly advised to update to the latest version immediately [1].

References

Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Atlasgondal/Export All URLsllm-fuzzy
Range: <5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/55d627c1-ad05-4cd1-ae7b-932d84c19313/nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000