The vulnerability CVE-2025-11693 affects the Export WP Pages to HTML & PDF plugin for WordPress, versions up to and including 4.3.4. It involves the exposure of sensitive authentication cookies through publicly accessible cookies.txt files generated during backup operations. Specifically, when a site administrator triggers a backup using privileged roles like 'administrator,' cookies containing authentication tokens may be injected into log files that are then exported and made publicly accessible. This exposure allows unauthenticated attackers to retrieve these cookies and potentially hijack administrator sessions, leading to full control over the WordPress site. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS 3.1 base score of 9.8, reflecting its critical nature. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No patches were listed at the time of publication, and no known exploits in the wild have been reported, but the ease of exploitation and the severity of impact make this a high-risk vulnerability. The plugin’s widespread use in WordPress sites that rely on static HTML and PDF exports for backup or static site generation increases the attack surface. The vulnerability underscores the risk of improper handling of sensitive data during backup and export processes in web applications.

For European organizations, this vulnerability poses a significant risk of unauthorized access to WordPress administrative accounts, potentially leading to full site compromise, data theft, defacement, or disruption of services. Given the critical CVSS score, exploitation could result in loss of confidentiality of sensitive business or customer data, integrity violations through unauthorized content changes, and availability impacts if attackers disrupt or take down the site. Organizations relying on WordPress for public-facing websites, e-commerce, or internal portals are particularly vulnerable. The exposure of authentication cookies to unauthenticated attackers means that even external threat actors without prior access can gain elevated privileges. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and financial losses. The vulnerability also increases the risk of lateral movement within networks if WordPress credentials are reused or linked to other systems. The lack of known exploits currently provides a window for proactive mitigation, but the critical severity demands urgent attention.

1. Immediately monitor for plugin updates from the vendor and apply patches as soon as they become available. 2. Until patches are released, restrict public access to backup directories and any exported files that may contain sensitive cookies or logs by configuring web server access controls (e.g., .htaccess rules, IP whitelisting). 3. Review and modify backup procedures to avoid including sensitive authentication data in exported files, especially when triggered by privileged user roles. 4. Implement strict file permissions and isolate backup storage locations from public web directories. 5. Conduct audits of WordPress user roles and minimize the number of users with administrator privileges to reduce risk exposure. 6. Enable multi-factor authentication (MFA) for WordPress administrator accounts to mitigate the impact of stolen cookies. 7. Monitor web server logs and WordPress activity for unusual access patterns or unauthorized login attempts. 8. Educate administrators on secure backup practices and the risks of exposing authentication tokens. 9. Consider deploying Web Application Firewalls (WAFs) to detect and block attempts to access sensitive backup files. 10. Regularly review and update incident response plans to address potential exploitation scenarios related to this vulnerability.