CVE-2025-62079
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Damian WP Export Categories & Taxonomies wp-export-categories-taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Export Categories & Taxonomies: from n/a through <= 1.0.3.
Analysis
WP Export Categories & Taxonomies WordPress plugin through version 1.0.3 fails to enforce authorization checks on sensitive functionality, allowing unauthenticated or low-privileged users to exploit misconfigured access controls. The vulnerability stems from improper implementation of WordPress capabilities checks, potentially enabling unauthorized users to export or manipulate site taxonomy data. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical Context
The WP Export Categories & Taxonomies plugin, a WordPress extension designed to export category and taxonomy data, implements insufficient access control mechanisms. The vulnerability is rooted in CWE-862 (Missing Authorization), a class of flaws where the application fails to verify that users have the necessary permissions before allowing access to sensitive operations. WordPress plugins are expected to use properly configured capability checks (such as current_user_can() with appropriate capability strings) before allowing administrative or sensitive operations. The absence or incorrect implementation of these checks allows attackers to bypass intended access restrictions on export functionality, which could lead to unauthorized data extraction or modification of taxonomy structures.
Affected Products
Damian WP Export Categories & Taxonomies WordPress plugin versions from an unspecified baseline through version 1.0.3 (CPE not provided in available data). The plugin is distributed via the WordPress plugin repository and is identifiable by the slug wp-export-categories-taxonomies. Affected installations include any WordPress site with this plugin installed and activated at version 1.0.3 or earlier. Additional version history and exact affected range details are available in the Patchstack vulnerability database linked in references.
Remediation
Update WP Export Categories & Taxonomies plugin to the patched version released after 1.0.3. Sites running version 1.0.3 or earlier should immediately update to the latest available version through the WordPress admin dashboard (Plugins > Updates) or by downloading the latest version from the official WordPress plugin repository. As an interim measure pending patch deployment, site administrators should restrict plugin access by limiting user roles with capability to export taxonomies, or temporarily disable the plugin if export functionality is not currently required. Patchstack's vulnerability report (https://patchstack.com/database/Wordpress/Plugin/wp-export-categories-taxonomies/vulnerability/wordpress-wp-export-categories-taxonomies-plugin-1-0-3-broken-access-control-vulnerability) provides additional remediation guidance and may include workaround details.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today