Vulnerability Description
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pattern ^0e\d+$), allowing download of sensitive export files containing PII, business data, or database information.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/wp-all-export/tags/1.4.14/actions/wp_
- https://plugins.trac.wordpress.org/changeset/3455775/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a92c682-b8b3-4d23-bd8
FAQ
What is CVE-2026-1582?
CVE-2026-1582 is a vulnerability with a CVSS score of 3.7 (LOW). The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling...
How severe is CVE-2026-1582?
CVE-2026-1582 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1582?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.