Export All Urls
by WordPress
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2696 | Med | 0.34 | 5.3 | 0.00 | Apr 1, 2026 | The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any… | ||
| CVE-2023-3118 | 0.00 | — | 0.00 | Jul 10, 2023 | The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||
| CVE-2022-27856 | 0.00 | — | 0.00 | May 10, 2023 | Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Atlas Gondal Export All URLs plugin <= 4.1 versions. | |||
| CVE-2022-2638 | 0.00 | — | 0.01 | Aug 29, 2022 | The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server | |||
| CVE-2022-29452 | 0.00 | — | 0.00 | Jun 15, 2022 | Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress. | |||
| CVE-2022-0914 | 0.00 | — | 0.01 | Apr 11, 2022 | The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and… | |||
| CVE-2022-0892 | 0.00 | — | 0.01 | Apr 11, 2022 | The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting |
- risk 0.34cvss 5.3epss 0.00
The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any…
- CVE-2023-3118Jul 10, 2023risk 0.00cvss —epss 0.00
The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- CVE-2022-27856May 10, 2023risk 0.00cvss —epss 0.00
Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Atlas Gondal Export All URLs plugin <= 4.1 versions.
- CVE-2022-2638Aug 29, 2022risk 0.00cvss —epss 0.01
The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server
- CVE-2022-29452Jun 15, 2022risk 0.00cvss —epss 0.00
Authenticated (editor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Export All URLs plugin <= 4.1 at WordPress.
- CVE-2022-0914Apr 11, 2022risk 0.00cvss —epss 0.01
The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and…
- CVE-2022-0892Apr 11, 2022risk 0.00cvss —epss 0.01
The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting