CVE-2026-1582

LOW

WP All Export <=1.4.14 - Info Disclosure

Title source: llm

Description

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.

References (3)

[Product] https://plugins.trac.wordpress.org/browser/wp-all-export/tags/1.4.14/actions/wp_loaded.php#L19

[Product] https://plugins.trac.wordpress.org/changeset/3455775/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/9a92c682-b8b3-4d23-bd84-97d7440ee525?source=cve

Scores

CVSS v3 3.7

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

soflyy/WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel < 1.4.14

Published Feb 18, 2026

Tracked Since Feb 18, 2026