The WP All Export plugin for WordPress, widely used for exporting data to CSV, XML, and Excel formats, contains a vulnerability identified as CVE-2026-1582. This vulnerability stems from a PHP type juggling issue in the plugin's export download endpoint. Specifically, the security token comparison uses a loose equality operator (==) rather than a strict equality operator (===). In PHP, this can lead to 'magic hash' exploitation, where certain strings that look numeric (matching the regex pattern ^0e\d+$) are interpreted as zero in scientific notation, causing the loose comparison to incorrectly evaluate as true. Attackers can craft or identify such 'magic hash' values to bypass authentication checks on the export download endpoint. This allows unauthenticated users to download sensitive export files that may contain PII, business intelligence, or database information. The vulnerability affects all plugin versions up to and including 1.4.14. The CVSS 3.1 base score is 3.7, indicating a low severity primarily due to the complexity of exploitation and limited impact on integrity and availability. However, the confidentiality impact is non-negligible as sensitive data exposure can lead to privacy violations or business risks. No patches or fixes have been officially released at the time of publication, and no active exploitation has been reported. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

For European organizations, the exposure of sensitive export files containing PII or business data can have significant privacy and compliance implications, especially under GDPR regulations which mandate strict controls over personal data. Unauthorized access to such data could lead to data breaches, reputational damage, regulatory fines, and loss of customer trust. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is critical in sectors handling sensitive customer or employee information, such as finance, healthcare, and e-commerce. The ease of exploitation is moderate due to the need to identify or generate suitable 'magic hash' values, but the lack of required authentication lowers the barrier for attackers. Organizations relying on WP All Export for data handling are at risk of inadvertent data leakage if the plugin is not updated or mitigated. The impact is more pronounced for entities exporting large volumes of sensitive data regularly.

European organizations should immediately audit their WordPress installations to identify if WP All Export plugin versions up to 1.4.14 are in use. If so, they should restrict access to the export download endpoint via web application firewall (WAF) rules or IP whitelisting to limit exposure. Until an official patch is released, disabling the export functionality or the plugin entirely is advisable if sensitive data export is not critical. Monitoring web server logs for unusual access patterns to the export endpoint can help detect exploitation attempts. Organizations should also review exported data storage and transmission practices to ensure encryption and access controls are in place. Applying strict input validation and avoiding reliance on PHP loose comparisons in custom code can prevent similar vulnerabilities. Finally, maintain awareness for vendor updates or patches and apply them promptly once available.