平台
wordpress
组件
wp-ultimate-exporter
修复版本
2.19.1
CVE-2025-13606 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Export All Posts, Products, Orders, Refunds & Users plugin for WordPress. This flaw allows unauthenticated attackers to potentially export sensitive information, including user data and WooCommerce details, to a location controlled by the attacker. The vulnerability impacts versions 0.0.0 through 2.19, and a fix is available in version 2.20.
The primary impact of CVE-2025-13606 is the potential for unauthorized data exfiltration. An attacker can craft a malicious request that, if triggered by a site administrator, will instruct the plugin to export data to a file path under the attacker's control. This data could include user credentials (email addresses and password hashes), WooCommerce order information, and other sensitive details stored within the WordPress site. Successful exploitation could lead to identity theft, financial fraud, and compromise of the entire WordPress installation. The risk is amplified if the WordPress site handles sensitive customer data or financial transactions.
CVE-2025-13606 was publicly disclosed on December 2, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score reflects the potential for data exfiltration, but the lack of public exploits and KEV listing suggests a relatively low immediate risk.
WordPress sites utilizing the Export All Posts, Products, Orders, Refunds & Users plugin, particularly those handling sensitive user data or WooCommerce transactions, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to the exploitation of this vulnerability on other sites using the plugin.
• wordpress / composer / npm:
grep -r "parseData function" /var/www/html/wp-content/plugins/export-all-posts-products-orders-refunds-users/• wordpress / composer / npm:
wp plugin list --status=inactive | grep "export-all-posts-products-orders-refunds-users"• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated version 2.20 and higher.
disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The most effective mitigation for CVE-2025-13606 is to immediately upgrade the Export All Posts, Products, Orders, Refunds & Users plugin to version 2.20 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's export functionality to trusted administrators only. While not a complete solution, implementing a Web Application Firewall (WAF) with XSRF protection rules can help to block malicious requests. Regularly review WordPress user permissions and ensure that only authorized personnel have access to administrative functions. After upgrading, confirm the fix by attempting to trigger an export request from a different browser session to verify that the nonce validation is functioning correctly.
更新到2.20版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13606 is a Cross-Site Request Forgery (XSRF) vulnerability in the Export All Posts, Products, Orders, Refunds & Users plugin for WordPress, allowing attackers to potentially export sensitive data.
You are affected if your WordPress site uses the Export All Posts, Products, Orders, Refunds & Users plugin in versions 0.0.0 through 2.19.
Upgrade the plugin to version 2.20 or later to resolve the vulnerability. Consider temporary restrictions on plugin access if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the plugin developer's website or WordPress plugin directory for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。