A critical arbitrary file deletion vulnerability in the Export User Data WordPress plugin allows attackers to remove essential system files, potentially leading to a complete site outage.

The plugin fails to adequately sanitize input before processing it through the unserialize function, allowing an attacker to manipulate file paths. This vulnerability likely requires elevated privileges, though the impact is significant due to the potential for permanent data loss or site destruction.

The ability to delete arbitrary files on the server can result in complete site downtime, loss of configuration, or the removal of critical security files. With a CVSS score of 8.0, this high-severity vulnerability poses an immediate threat to the operational continuity and integrity of the affected WordPress site.

Immediate Action: Update the Export User Data plugin to the latest available version, or deactivate and remove the plugin if it is not strictly necessary for business operations.

Proactive Monitoring: Monitor file system integrity and review WordPress administrative audit logs for unusual file deletion activity or unauthorized plugin configuration changes.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block malicious serialized input and restrict file system access permissions to the minimum necessary for the web server user.

Public Exploit Available: false

Site administrators should treat this vulnerability with urgency. If an update is not immediately available, the safest course of action is to disable the plugin entirely to prevent potential site destruction by unauthorized parties.