What the vulnerability does
01Description
The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to trigger a user data export while a subscriber-level (or higher) user has stored a crafted serialized XLSXWriter object payload as their display name.
Explanation of Vulnerability in Simple Terms
02Summary
Export User Data versions 2.2.6 and earlier contain a deserialization flaw that allows authenticated users to execute arbitrary code on the site by crafting malicious serialized data. An attacker with low-level access can trigger code execution through user interaction, such as visiting a crafted link. This affects confidentiality, integrity, and availability of the affected system.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site with the privileges of the authenticated user.
Potential impact on your site
04Site Impact
An authenticated attacker can compromise your site, steal data, modify content, or disrupt service.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account and trick a user into visiting a malicious link or page.
Key dates
06Disclosure timeline
June 30, 2026
CVE published