CVE-2026-12240 | The Export User Data plugin for WordPress is vulnerable to a… | CVSS 8.0 HIGH

Description

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to trigger a user data export while a subscriber-level (or higher) user has stored a crafted serialized XLSXWriter object payload as their display name.

Metadata

CVE ID: CVE-2026-12240
State: PUBLISHED
Assigner: Wordfence
Reserved: 2026-06-15 05:02 UTC
Published: 2026-06-30 06:52 UTC
Last updated: 2026-06-30 06:52 UTC
Primary CWE: CWE-502
CWE-502 Deserialization of Untrusted Data
Vendor / Product: qlstudio / Export User Data
Sources: cve.org · NVD

Severity & Metrics

8.0 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
qlstudio	Export User Data	—	0 ≤ 2.2.6

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	CWE-502 Deserialization of Untrusted Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.0	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (2)