The vulnerability identified as CVE-2025-11693 affects the Export WP Pages to HTML & PDF – Simply Create a Static Website plugin for WordPress, specifically all versions up to and including 4.3.4. This plugin is designed to export WordPress pages into static HTML and PDF formats. The core issue is the exposure of sensitive authentication cookies through publicly accessible cookies.txt files generated during backup operations. When a site administrator or a user with elevated privileges triggers a backup, the plugin may inadvertently log authentication cookies into these files. Because these cookies are stored in a publicly accessible location without proper access controls, unauthenticated attackers can retrieve them. Possession of these cookies can allow attackers to impersonate privileged users, including administrators, leading to full site compromise. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS 3.1 score of 9.8 reflects the critical nature of this flaw, with an attack vector that is network-based, requiring no privileges or user interaction, and resulting in high confidentiality, integrity, and availability impacts. Although no exploits have been reported in the wild yet, the ease of exploitation and the severity of potential damage make this a significant threat to WordPress sites using this plugin.

The impact of CVE-2025-11693 is severe for organizations relying on the affected WordPress plugin. Unauthorized access to authentication cookies can lead to complete site takeover, allowing attackers to modify content, inject malicious code, steal sensitive data, or disrupt website availability. This can result in reputational damage, loss of customer trust, data breaches, and potential regulatory penalties. E-commerce sites, government portals, and enterprises using WordPress for critical operations are particularly vulnerable. The vulnerability's ease of exploitation means attackers can quickly leverage it to gain persistent access without needing prior credentials or user interaction. Additionally, compromised sites can be used as launchpads for further attacks, including phishing or malware distribution, amplifying the threat's reach and impact.

To mitigate this vulnerability, organizations should immediately implement strict access controls on backup directories and any files named cookies.txt to prevent public access. Web server configurations should be reviewed and updated to restrict access to sensitive files generated by the plugin. Administrators should avoid triggering backups with elevated user roles until a patch or update is released. Monitoring and logging should be enhanced to detect unusual access patterns or unauthorized retrieval of backup files. If possible, disable or uninstall the Export WP Pages to HTML & PDF plugin until a secure version is available. Applying web application firewalls (WAFs) with rules to block access to backup files and sensitive cookie files can provide an additional layer of defense. Finally, once the vendor releases a patch, it should be applied promptly to fully remediate the vulnerability.