CVE-2025-13606 is a medium-severity CSRF vulnerability in the 'Export All Posts, Products, Orders, Refunds & Users' WordPress plugin developed by smackcoders, affecting all versions up to and including 2.19. The vulnerability stems from improper or missing nonce validation in the parseData function, which is responsible for handling export requests. Nonces in WordPress are security tokens designed to prevent CSRF attacks by ensuring that requests originate from legitimate users. The absence or incorrect implementation of nonce validation allows an attacker to craft malicious requests that, when executed by an authenticated administrator (via social engineering such as clicking a malicious link), trigger the export of sensitive site data. This data includes user details, email addresses, password hashes, and WooCommerce transactional data like orders and refunds. The exported data is saved to a file path controlled by the attacker on the server, potentially enabling further exploitation or data exfiltration. The attack vector requires no authentication but does require user interaction from an administrator, limiting the attack scope but still posing a significant risk. The CVSS 3.1 score of 6.5 reflects the high confidentiality impact due to sensitive data exposure, low attack complexity, no privileges required, and user interaction needed. No patches or fixes are currently linked, and no public exploits have been reported, but the vulnerability is publicly disclosed and documented. This vulnerability highlights the critical need for proper nonce validation in WordPress plugins handling sensitive operations.

The primary impact of CVE-2025-13606 is the unauthorized disclosure of sensitive information, including user personal data, password hashes, and e-commerce transactional data. This can lead to privacy violations, identity theft, credential compromise, and financial fraud. Exposure of password hashes may enable offline cracking attempts, potentially compromising user accounts across multiple platforms if password reuse occurs. For e-commerce sites using WooCommerce, leakage of order and refund data can reveal customer purchasing behavior and financial details, damaging customer trust and violating data protection regulations such as GDPR or CCPA. The vulnerability does not affect data integrity or availability directly but can facilitate further attacks if attackers gain footholds through the exposed data. Organizations worldwide relying on this plugin risk reputational damage, regulatory penalties, and financial losses if exploited. The requirement for administrator interaction reduces the attack surface but does not eliminate risk, especially in environments with high administrator activity or phishing susceptibility. The lack of known exploits in the wild suggests limited current exploitation but the public disclosure increases the likelihood of future attacks.

Organizations should immediately verify if they use the 'Export All Posts, Products, Orders, Refunds & Users' plugin by smackcoders and identify the version in use. Since no official patch links are currently available, administrators should consider the following mitigations: 1) Temporarily deactivate or uninstall the plugin until a security update is released. 2) Restrict administrative access and educate administrators about phishing and social engineering risks to prevent inadvertent execution of malicious requests. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious export requests or unusual POST requests to the plugin endpoints. 4) Monitor server file systems for unauthorized file creation or modification in locations where exported data might be stored. 5) Review and harden WordPress nonce validation mechanisms in custom or third-party plugins to prevent similar CSRF issues. 6) Regularly audit user roles and permissions to minimize the number of administrators exposed to such attacks. 7) Once a patch is released, promptly apply it and verify nonce validation is correctly implemented. 8) Consider additional logging and alerting for export operations to detect anomalous activity early.