Skip to main content

Export WP Page EUVDEUVD-2026-31743

| CVE-2026-24574 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-25 Patchstack GHSA-cxqj-xvr9-wwhv
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:30 vuln.today

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery.

This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0.

AnalysisAI

Cross-Site Request Forgery in the Recorp Export WP Page to Static HTML/CSS WordPress plugin (versions through 6.0.0) allows unauthenticated remote attackers to force authenticated WordPress administrators into executing unauthorized state-changing plugin actions by tricking them into visiting a malicious web page. The CVSS vector (PR:N/UI:R/I:H) confirms no attacker authentication is required but victim interaction is mandatory, resulting in high integrity impact with no confidentiality or availability loss. No public exploit has been identified at time of analysis, and EPSS at 0.01% (3rd percentile) alongside SSVC exploitation status of 'none' indicate minimal current threat activity.

Technical ContextAI

The affected component is a WordPress plugin by Recorp that exports WordPress pages to static HTML and CSS files (CPE: cpe:2.3:a:recorp:export_wp_page_to_static_html/css:*:*:*:*:*:*:*:*). The root cause is CWE-352 (Cross-Site Request Forgery), a class of vulnerability where one or more state-changing HTTP endpoints in the plugin fail to validate WordPress nonces or check request origin headers. This allows a crafted third-party page to silently submit authenticated requests to the plugin on behalf of a logged-in administrator, since the browser automatically attaches session cookies. WordPress plugins are expected to use wp_verify_nonce() on all privileged AJAX or form actions; absence of this check is the core implementation flaw here.

RemediationAI

Patch available per vendor advisory - site administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/export-wp-page-to-static-html/vulnerability/wordpress-export-wp-page-to-static-html-css-plugin-6-0-0-cross-site-request-forgery-csrf-vulnerability) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-24574) for the exact patched release version, as no specific fix version number was confirmed in the available intelligence data. The exact patched version is not independently confirmed from provided sources - verify with the WordPress plugin repository before upgrading. As a compensating control pending patching, administrators should avoid visiting untrusted or unfamiliar URLs while logged into the WordPress admin panel, and consider using a dedicated browser profile for wp-admin sessions to isolate session cookies from general browsing. Restricting plugin installation to administrators only reduces the exposure surface but does not eliminate it. Note that these workarounds reduce risk but do not remediate the underlying nonce validation deficiency.

Share

EUVD-2026-31743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy