CVE-2025-11693 is a critical security vulnerability identified in the WordPress plugin 'Export WP Pages to HTML & PDF – Simply Create a Static Website' developed by recorp. The vulnerability, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), affects all versions up to and including 4.3.4. It arises because the plugin exposes cookies.txt files publicly, which contain authentication cookies. These cookies may be injected into log files if a site administrator triggers a backup operation using privileged roles such as 'administrator'. Since these cookies are authentication tokens, an attacker who can access them can impersonate the administrator, gaining full control over the WordPress site. The vulnerability is remotely exploitable without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact covers confidentiality (exposure of sensitive cookies), integrity (potential site takeover), and availability (possible site disruption). No patches or fixes are currently available, and no known exploits have been reported in the wild yet. The vulnerability was published on December 13, 2025, with a CVSS score of 9.8, indicating critical severity. The plugin’s functionality to export pages to static HTML and PDF files inadvertently exposes sensitive data through misconfigured backup or logging mechanisms, highlighting the need for secure handling of authentication tokens and strict access controls on backup artifacts.

For European organizations, this vulnerability poses a significant threat, especially those relying on WordPress for critical websites such as e-commerce platforms, government portals, and corporate sites. Exploitation can lead to unauthorized access to administrative accounts, resulting in data breaches, defacement, or complete site takeover. Confidential customer data, internal documents, and business-critical information could be exposed or manipulated. The availability of the website could be compromised through malicious modifications or denial-of-service attacks. The ease of exploitation (no authentication or user interaction required) increases the risk of widespread attacks. Given the widespread use of WordPress in Europe and the popularity of plugins for site management, organizations may face reputational damage, regulatory penalties under GDPR for data exposure, and operational disruptions. The lack of patches means organizations must rely on immediate mitigations to reduce risk.

1. Immediately disable the 'Export WP Pages to HTML & PDF – Simply Create a Static Website' plugin until a security patch is released by the vendor. 2. Restrict access to backup and log files on the web server using strict file permissions and web server configuration (e.g., .htaccess rules) to prevent public exposure of cookies.txt or similar files. 3. Audit and monitor web server directories for any publicly accessible sensitive files, especially those containing authentication tokens or cookies. 4. Implement network-level access controls to limit exposure of backup files to trusted IP addresses only. 5. Regularly review and minimize the use of plugins, especially those that handle sensitive data or perform backup/export functions. 6. Enforce strong administrator account security, including multi-factor authentication, to reduce the impact of stolen cookies. 7. Monitor logs for unusual access patterns or attempts to download cookies.txt files. 8. Prepare incident response plans to quickly address potential compromises stemming from this vulnerability. 9. Stay updated with vendor advisories and apply patches as soon as they become available.