A critical vulnerability has been identified in the Export WP Page to Static HTML & PDF plugin for WordPress, assigned CVE-2025-11693 with a CVSS score of 9.8. This flaw publicly exposes a file containing sensitive authentication cookies, allowing unauthenticated attackers to potentially steal these cookies and gain complete administrative control over the affected website. Successful exploitation could lead to a full site compromise, data theft, and reputational damage.

The plugin creates a publicly accessible cookies.txt file during the backup process. When a privileged user, such as an administrator, initiates a backup, their session authentication cookies are written to this file. An unauthenticated attacker can discover and access this file via a direct web request, steal the cookies, and use them to impersonate the administrator, thereby gaining full unauthorized access to the WordPress site's administrative functions.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could result in a complete compromise of the organization's website. An attacker with administrative access can deface the site, steal sensitive customer or business data, install malware or backdoors, and use the compromised server to launch further attacks. The potential consequences include significant financial loss, severe reputational damage, regulatory penalties for data breaches, and loss of customer trust.

Immediate Action: Immediately update The Export WP Page to Static HTML plugin to the latest version, which addresses this vulnerability. After updating, search the web server's file system for any existing cookies.txt files created by the plugin and securely delete them. Review access logs for any requests to cookies.txt to identify potential prior compromise.

Proactive Monitoring: Monitor web server access logs for any HTTP GET requests targeting cookies.txt or other unusual file names. Scrutinize WordPress administrative logs for unexpected activity, such as logins from unfamiliar IP addresses, creation of new admin users, or unauthorized content changes.

Compensating Controls: If patching is not immediately possible, consider the following controls:

• Implement a Web Application Firewall (WAF) rule to block all external access to cookies.txt files.
• Configure web server rules (e.g., via .htaccess on Apache) to deny direct access to the directory where the plugin stores these files.
• Temporarily disable the plugin until it can be safely updated.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the simplicity of exploitation, immediate action is required. We strongly recommend that all organizations using the affected WordPress plugin apply the security update provided by the vendor without delay. In addition to patching, it is crucial to scan for and remove any exposed cookie files and review logs for signs of compromise. The potential for a complete site takeover represents a direct and severe threat to business operations.