CVE-2026-7558 in Age Verification & Identity Verification Plugininfo

Summary

by MITRE • 07/09/2026

The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_table() function being registered on the WordPress 'init' hook, which fires for all requests, including those from unauthenticated visitors, without any capability check. This makes it possible for unauthenticated attackers to download a CSV file containing sensitive WooCommerce donation data, including order dates, order IDs, charitable donation amounts, and admin-only order edit URLs, simply by visiting any page on the site with the 'tot_export_table' GET parameter set to a numeric value (0–3).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in the Age Verification & Identity Verification by Token of Trust plugin for WordPress represents a critical authorization flaw that exposes sensitive donor information through improper access controls. This weakness exists within the handle_export_table() function which is improperly registered on the WordPress 'init' hook, creating a persistent security gap that affects all versions up to and including 4.0.2. The function executes regardless of user authentication status, eliminating any form of capability validation that should normally protect administrative data exports. This misconfiguration directly violates fundamental security principles outlined in CWE-284, which addresses inadequate access control mechanisms, and aligns with ATT&CK technique T1213.002 related to data from information repositories. The vulnerability operates at the application layer, specifically targeting WordPress's hook system where unauthorized execution occurs during every page load.

The technical exploitation of this vulnerability requires minimal effort from threat actors, as they simply need to append a specific GET parameter tot_export_table with a numeric value between 0 and 3 to any website URL. This parameter triggers the export functionality without requiring authentication or administrative privileges, making it particularly dangerous due to its accessibility and the sensitive nature of the exported data. The exported CSV file contains comprehensive information about WooCommerce donations including order dates that reveal temporal patterns of donor activity, unique order IDs that can be used for tracking purposes, actual donation amounts that represent financial data, and admin-only edit URLs that provide direct access to modify donor records. The lack of proper capability checks means that even basic website visitors can access this administrative functionality, creating an information disclosure vulnerability that directly impacts the privacy and security of donor data.

The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with actionable intelligence about donation patterns and financial flows within organizations using this plugin. The inclusion of admin edit URLs in the exported data creates additional risk by potentially enabling attackers to modify or manipulate donation records, which could lead to financial fraud or data integrity issues. This vulnerability particularly affects organizations that rely on WooCommerce for charitable donations where donor privacy is paramount, as it creates a pathway for unauthorized parties to gather sensitive information about individual donors and their contribution patterns. The continuous execution of the export function through the WordPress init hook means that this vulnerability is active throughout all site operations without requiring additional authentication or specific attack vectors.

Mitigation strategies for this vulnerability should focus on immediate code-level fixes that implement proper capability checks before allowing export functionality to execute. The handle_export_table() function must be modified to verify user capabilities using WordPress's built-in permission systems such as current_user_can() with appropriate administrative roles before proceeding with data export operations. Organizations should also consider implementing additional security measures including rate limiting on export requests, monitoring for unusual export activity patterns, and ensuring that the plugin is updated to versions that address this specific authorization flaw. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in WordPress plugins, as highlighted by CWE-352 which addresses cross-site request forgery issues that often stem from similar misconfigurations. Regular security audits of WordPress plugins should include verification of hook registrations and capability checks to prevent similar unauthorized access scenarios.

Responsible

Wordfence

Reservation

04/30/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!