CVE-2026-15026 in Import and Export Users and Customers Plugin
Summary
by MITRE • 07/10/2026
The Import and export users and customers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.0 via the email_template_selected. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the post_title and raw post_content of arbitrary posts regardless of status (draft, private, future, trash, password-protected) or post type (including non-public CPTs such as WooCommerce orders and internal CRM records) by enumerating post IDs. The required codection-security nonce is exposed as inline JavaScript on any wp-admin page when ?post_type=acui_email_template is appended to the URL, which is reachable by any authenticated user including Subscribers.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability represents a critical sensitive information exposure flaw in the WordPress Import and Export Users and Customers plugin affecting versions up to 2.4.0. The issue stems from insufficient access controls and improper input validation mechanisms that allow authenticated users with subscriber-level privileges or higher to enumerate and extract confidential post data through crafted requests. The vulnerability specifically targets the email_template_selected parameter which exposes internal WordPress post management functionality to unauthorized access.
The technical implementation flaw occurs when the plugin processes requests containing the ?post_type=acui_email_template query parameter, which inadvertently exposes a nonce value through inline JavaScript rendering on any wp-admin page. This exposure creates a direct pathway for attackers to construct malicious requests that bypass normal WordPress access control mechanisms. The vulnerability leverages the fact that WordPress post IDs can be enumerated by authenticated users, allowing them to systematically request post data regardless of the post's status or type. This includes draft posts, private content, future-dated entries, trashed items, and password-protected content, as well as custom post types such as WooCommerce orders and CRM records.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential for significant data breaches and privacy violations. Attackers can extract complete post titles and raw content from any accessible post within the WordPress installation, including highly sensitive business data, customer information, internal communications, and proprietary content. This exposure affects not just standard blog posts but also specialized content types that should remain protected, making it particularly dangerous for e-commerce environments and organizations handling sensitive customer records. The vulnerability can be exploited by any authenticated user with subscriber-level access or higher, significantly expanding the attack surface compared to traditional privilege escalation vectors.
From a security framework perspective, this vulnerability maps directly to CWE-200 (Information Exposure) and CWE-352 (Cross-Site Request Forgery) while also aligning with ATT&CK technique T1213.002 (Backup Data Exfiltration) and T1566.001 (Phishing). The exposure of administrative nonces through client-side rendering represents a fundamental flaw in the plugin's security architecture, violating principles of least privilege and proper access control enforcement. Organizations should immediately implement mitigations including plugin version updates, restriction of user roles to minimum required permissions, and monitoring for unauthorized access attempts. Additionally, administrators should review and restrict access to wp-admin pages, particularly those containing sensitive administrative interfaces, while implementing network-level controls to prevent exploitation through automated enumeration techniques.
The vulnerability demonstrates a classic case of insufficient authorization checks combined with improper nonce handling in WordPress plugins. The exposure of the nonce value through inline JavaScript on admin pages creates an authentication bypass opportunity that allows attackers to craft requests that would normally require valid administrative credentials. This flaw represents a fundamental failure in the plugin's security design and highlights the importance of proper input validation, access control enforcement, and secure coding practices in WordPress plugin development. Organizations should conduct immediate vulnerability assessments across all installed plugins to identify similar exposure patterns and implement comprehensive security monitoring solutions to detect and prevent exploitation attempts.