VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 6 known issues Latest disclosed Apr 02, 2026

Export All URLs Vulnerabilities

Review known vulnerability records for the WordPress plugin Export All URLs (`export-all-urls`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2696, CVE-2023-3118 and CVE-2022-2638, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
6
High or Critical
1
Patch Coverage
100%
Last Updated
Apr 09, 2026
Priority CVE Quick Links

Fast paths into Export All URLs CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2026-2696 High 5.1
CVE-2026-2696 Export All URLs Sensitive Information Exposure

Export All URLs < 5.1 - Unauthenticated Information Exposure

CVE-2022-2638 Medium 4.4
CVE-2022-2638 Export All URLs Vulnerability

Export All URLs <= 4.3 - Arbitrary File Deletion

CVE-2022-0914 Medium 4.3
CVE-2022-0914 Export All URLs Cross-Site Request Forgery

Export All URLs <= 4.2 - Cross-Site Request Forgery to Sensitive Data Export

CVE-2022-27856 Medium 4.2
CVE-2022-27856 Export All URLs Stored Cross-Site Scripting

Export All URLs <= 4.1 - Authenticated (Editor+) Stored Cross-Site Scripting

CVE-2023-3118 Medium 4.6
CVE-2023-3118 Export All URLs Cross-Site Scripting

Export All URLs <= 4.5 - Reflected Cross-Site Scripting

CVE-2022-0892 Medium 4.2
CVE-2022-0892 Export All URLs Cross-Site Scripting

Export All URLs <= 4.1 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Export All URLs so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
6 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-2696, CVE-2023-3118 and CVE-2022-2638
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Export All URLs

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-2696
CVE-2026-2696: Export All URLs < 5.1 - Unauthenticated Information Exposure

The Export All URLs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.1 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Apr 02, 2026
Patched Release
5.1
Affected Versions
Versions before 5.1
Next Step
Update to 5.1 or newer if supported.
Open CVE-2026-2696 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-3118
CVE-2023-3118: Export All URLs <= 4.5 - Reflected Cross-Site Scripting

The Export All URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'starting-point' and 'ending-point' parameters in versions up to, and including, 4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic...

Published
Jun 19, 2023
Patched Release
4.6
Affected Versions
Versions up to 4.5
Next Step
Update to 4.6 or newer if supported.
Open CVE-2023-3118 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-2638
CVE-2022-2638: Export All URLs <= 4.3 - Arbitrary File Deletion

The Export All URLs for WordPress is vulnerable to arbitrary file deletion in versions up to, and including, 4.3 due to missing file path and type validation in the ~/extract-all-urls-settings.php file on the 'f' parameter. This makes it possible for authenticated attackers with...

Published
Aug 08, 2022
Patched Release
4.4
Affected Versions
Versions up to 4.3
Next Step
Update to 4.4 or newer if supported.
Open CVE-2022-2638 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-27856
CVE-2022-27856: Export All URLs <= 4.1 - Authenticated (Editor+) Stored Cross-Site Scripting

The Export All URLs plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to injec...

Published
May 27, 2022
Patched Release
4.2
Affected Versions
Versions up to 4.1
Next Step
Update to 4.2 or newer if supported.
Open CVE-2022-27856 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0892
CVE-2022-0892: Export All URLs <= 4.1 - Reflected Cross-Site Scripting

The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Published
Mar 21, 2022
Patched Release
4.2
Affected Versions
Versions before 4.2
Next Step
Update to 4.2 or newer if supported.
Open CVE-2022-0892 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0914
CVE-2022-0914: Export All URLs <= 4.2 - Cross-Site Request Forgery to Sensitive Data Export

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and ret...

Published
Mar 21, 2022
Patched Release
4.3
Affected Versions
Versions before 4.3
Next Step
Update to 4.3 or newer if supported.
Open CVE-2022-0914 Report Open CVE Reference