{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13606", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-24T14:50:42.137Z", "datePublished": "2025-12-02T04:37:14.256Z", "dateUpdated": "2026-04-08T16:45:53.338Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:53.338Z"}, "affected": [{"vendor": "smackcoders", "product": "Export All Posts, Products, Orders, Refunds & Users", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3405694/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "lucky_buddy"}], "timeline": [{"time": "2025-11-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-24T15:06:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-01T16:23:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T14:16:54.020245Z", "id": "CVE-2025-13606", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:21:30.523Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13606", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-02T14:16:54.020245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T14:17:47.397Z"}}], "cna": {"title": "Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "lucky_buddy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "smackcoders", "product": "Export All Posts, Products, Orders, Refunds & Users", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-24T15:06:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-01T16:23:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3405694/"}], "descriptions": [{"lang": "en", "value": "The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:53.338Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13606", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:53.338Z", "dateReserved": "2025-11-24T14:50:42.137Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-02T04:37:14.256Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-13606", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-02T05:16:20.617", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3405694/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:23:23.698814+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 2.19, which removes the missing nonce check in parseData.", "If an upgrade is not immediately feasible, add a custom nonce or CSRF token verification to the export endpoint, ensuring that only properly authenticated requests are processed.", "Restrict access to the export URLs to administrative users only through server\u2011side or application\u2011level access controls, and consider using a web application firewall to block unexpected requests."], "summary": {"action": "Update Plugin", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Smackcoders Export All Posts, Products, Orders, Refunds & Users plugin in any version through 2.19 are affected. The vulnerability applies to all releases up to and including 2.19. Administrators of such sites should verify whether they are running a vulnerable version and consider upgrading.", "description_and_impact": "The Export All Posts, Products, Orders, Refunds & Users plugin contains a Cross\u2011Site Request Forgery flaw that arises from missing or incorrect nonce validation in the parseData function. This flaw allows an unauthenticated attacker to force a site administrator to export sensitive information\u2014including user records, email addresses, password hashes and WooCommerce orders\u2014to a file on the server that the attacker controls. Because the data can be written to an arbitrary path chosen by the attacker, the vulnerability leads to full disclosure of user and transactional data, compromising confidentiality and potentially enabling further credential\u2011reuse attacks.", "risk_and_exploitability": "The CVSS v3.1 base score of 6.5 indicates a medium\u2011severity issue, and the EPSS score being below 1% indicates a low probability of exploitation. Because the vulnerability requires a forged request to be sent while a legitimate administrator is authenticated, the attack typically relies on social engineering or malicious links presented to an admin. The vulnerability is not listed in CISA KEV, so no widespread exploitation campaigns have yet been reported. Nonetheless, any unpatched instance remains at risk if an attacker can coerce an admin into executing a crafted export request."}}}}, "created": "2025-12-02T11:58:15.761821+00:00", "updated": "2026-04-22T00:30:04.049269+00:00", "vendors": ["smackcoders", "smackcoders$PRODUCT$export_all_posts,_products,_orders,_refunds_&_users", "wordpress", "wordpress$PRODUCT$wordpress"]}