CVE-2025-13606 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'Export All Posts, Products, Orders, Refunds & Users' developed by smackcoders. This plugin facilitates exporting various types of site data, including posts, products, orders, refunds, and user information. The vulnerability exists due to missing or incorrect nonce validation in the parseData function, which is intended to protect against unauthorized requests. Because of this flaw, an attacker can craft a malicious request that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), triggers the export of sensitive data. The data exposed includes user personal information, email addresses, password hashes, and WooCommerce transactional data, which can be saved to an attacker-controlled file path on the server. The attack does not require the attacker to be authenticated but does require user interaction from an administrator, making it a targeted social engineering vector. The CVSS 3.1 score of 6.5 reflects the ease of network exploitation (no privileges required) combined with the high confidentiality impact due to sensitive data exposure. However, the vulnerability does not affect data integrity or availability. No patches or exploits are currently publicly available, but the risk remains significant for sites using this plugin, especially those handling e-commerce data. The vulnerability is classified under CWE-352, emphasizing the importance of proper nonce validation to prevent CSRF attacks.

For European organizations, particularly those operating WordPress sites with WooCommerce integration, this vulnerability poses a significant risk of sensitive data leakage. Exposure of user data, including password hashes and personal information, can lead to identity theft, credential stuffing attacks, and regulatory non-compliance issues under GDPR. The unauthorized export of transactional and order data can also compromise customer privacy and business confidentiality. Since the attack requires an administrator to be tricked into clicking a malicious link, organizations with less stringent user awareness training or those with administrators frequently accessing untrusted content are at higher risk. The breach of confidentiality could result in reputational damage, financial penalties, and loss of customer trust. Given the widespread use of WordPress and WooCommerce in Europe, the scope of affected systems is substantial. However, the lack of impact on integrity and availability limits the threat to data exposure rather than service disruption.

Organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'Export All Posts, Products, Orders, Refunds & Users' plugin. Until an official patch is released, administrators should restrict access to the plugin's export functionality by limiting administrator exposure to untrusted websites and emails to reduce the risk of social engineering. Implementing web application firewalls (WAF) with CSRF protection rules can help detect and block forged requests targeting the vulnerable endpoint. Site owners can also manually add nonce validation or verify existing nonce implementations in the plugin's code if feasible. Regular backups and monitoring of export activity logs can help detect suspicious data export attempts. Additionally, educating administrators on the risks of clicking unknown links and enforcing multi-factor authentication can reduce the likelihood of successful exploitation. Once a patch is available, prompt updating of the plugin is critical. Finally, reviewing and minimizing the number of administrators with export privileges can reduce the attack surface.