CVE-2023-5882

🗓️ 18 Dec 2023 20:08:04Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 81 Views🌐 WEB

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2023-5882	21 Dec 202323:16	–	circl
CNNVD	WordPress Plugin WP All Export Pro Security Vulnerability	18 Dec 202300:00	–	cnnvd
Cvelist	CVE-2023-5882 WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF	18 Dec 202320:08	–	cvelist
NVD	CVE-2023-5882	18 Dec 202320:15	–	nvd
OSV	CVE-2023-5882	18 Dec 202320:15	–	osv
Patchstack	WordPress WP ALL Export Pro Plugin < 1.8.6 is vulnerable to Cross Site Request Forgery (CSRF)	24 Nov 202300:00	–	patchstack
Patchstack	WordPress Export any WordPress data to XML/CSV Plugin < 1.4.1 is vulnerable to Cross Site Request Forgery (CSRF)	24 Nov 202300:00	–	patchstack
Prion	Remote code execution	18 Dec 202320:15	–	prion
Positive Technologies	PT-2023-32392 · WordPress · Export Any Wordpress Data To Xml/Csv +1	18 Dec 202300:00	–	ptsecurity
Vulnrichment	CVE-2023-5882 WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF	18 Dec 202320:08	–	vulnrichment

NVD

Vulners

Node

soflyy export_any_wordpress_data_to_xml/csvRange<1.4.1wordpress

soflyy wp_all_exportRange<1.8.6prowordpress

[
  {
    "vendor": "Unknown",
    "product": "Export any WordPress data to XML/CSV",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.4.0"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  },
  {
    "vendor": "Unknown",
    "product": "WP All Export Pro",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.8.6"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2

Parameter	Position	Path	Description	CWE
page	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
export_type	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
wp_query_selector	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
wp_query	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
is_submitted	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
auto_generate	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352
_wp_http_referer	request body	/wp-admin/admin.php?page=pmxe-admin-export	Nonce not checked early enough in request lifecycle allowing logged-in users to perform unintended actions, enabling remote code execution via crafted form submission.	CWE-352

17 Jun 2026 06:49Current

9High risk

Vulners AI Score9

CVSS 3.18.8

EPSS0.0055

SSVC

CWE-352