The vulnerability identified as CVE-2026-2696 affects the Export All URLs WordPress plugin prior to version 5.1. This plugin exports URLs of posts on a WordPress site into CSV files. The issue arises because the plugin includes URLs of private posts in these exports and stores the resulting CSV files in the publicly accessible wp-content/uploads/ directory. The filenames for these CSV exports are generated using a predictable pattern combined with a random 6-digit number, which is insufficiently complex to prevent brute-force guessing. An unauthenticated attacker can enumerate possible filenames by iterating through the 6-digit numeric space, potentially retrieving CSV files containing sensitive URLs, including those of private posts that should not be publicly accessible. This constitutes an information exposure vulnerability classified under CWE-200. The vulnerability does not require authentication or user interaction, increasing its risk. No official patch links are provided yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in February 2026 and published in April 2026. The lack of a CVSS score necessitates an independent severity assessment based on the nature of the exposure and ease of exploitation.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information, specifically URLs of private posts that may contain confidential or proprietary content. This exposure can lead to privacy violations, leakage of sensitive business or personal information, and potential reconnaissance for further attacks. Organizations relying on the Export All URLs plugin for WordPress risk having private content inadvertently exposed to the public internet. This can damage organizational reputation, violate data protection regulations, and provide attackers with intelligence to facilitate targeted attacks such as phishing or social engineering. Since exploitation requires no authentication or user interaction, the attack surface is broad, affecting any publicly accessible WordPress site using the vulnerable plugin version. The impact is particularly significant for organizations hosting sensitive or regulated content on WordPress platforms.

To mitigate this vulnerability, organizations should immediately upgrade the Export All URLs plugin to version 5.1 or later once available, as this version presumably addresses the issue. Until a patch is applied, administrators should restrict access to the wp-content/uploads/ directory via web server configuration (e.g., using .htaccess rules or equivalent) to prevent public access to exported CSV files. Implementing strong filename randomization or using non-predictable tokens for export files can reduce brute-force risks. Additionally, review and limit the inclusion of private post URLs in export files or disable the export functionality if not essential. Monitoring web server logs for repeated access attempts to CSV files with numeric patterns can help detect brute-force attempts. Finally, consider applying a Web Application Firewall (WAF) rule to block or rate-limit requests targeting the export file paths.