Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
WP All Export plugin allows unauthorized access to sensitive data download
CVE-2026-1582
Summary
The WP All Export plugin for WordPress is vulnerable to unauthorized access to sensitive data files. This means that attackers can download sensitive information, such as personal data or business records, without being authenticated. To protect your data, update the plugin to the latest version or consider removing it if you're not using it.
Original title
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggl...
Original description
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
nvd CVSS3.1
3.7
Vulnerability type
CWE-200
Information Exposure
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026