CVE-2026-5335 PUBLISHED

Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosure

Assigner: WPScan
Reserved: 01.04.2026 Published: 04.05.2026 Updated: 04.05.2026

The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.

Product Status

Vendor	Unknown
Product	Magic Export & Import
Versions	Default: unaffected affected from 0 to 1.2.0 (excl.)

Credits

Hoang Phuong finder
WPScan coordinator

References

https://wpscan.com/vulnerability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/

Problem Types

CWE-200 Information Exposure CWE