What the vulnerability does
01Description
The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
hiWeb Export Posts versions up to 0.9.0.0 contain a path traversal vulnerability that allows an attacker to write files outside the intended directory. The vulnerability requires user interaction and network access but does not require authentication. An attacker can modify or create files on the affected system, potentially compromising site integrity and availability.
What an attacker can do
03Attacker Capabilities
Write or overwrite files outside the intended directory on the server.
Potential impact on your site
04Site Impact
Attackers can modify site files, inject malicious code, or disable the site without needing a user account.
Conditions required to exploit
05Prerequisites
Victim must visit a malicious link or page; no login required.
Key dates
06Disclosure timeline
July 24, 2025
CVE published
April 8, 2026
Record updated