hiWeb Export Posts WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Deletion

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the hiWeb Export Posts plugin for WordPress, affecting all versions up to and including 0.9.0.0. The vulnerability arises from inadequate nonce validation in the tool-dashboard-history.php file, enabling unauthenticated attackers to delete arbitrary files from the server. This file deletion could lead to remote code execution, particularly if a critical file like wp-config.php is removed, especially if an administrator is tricked into clicking a link that initiates the deletion.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server, which could be leveraged for remote code execution, particularly if sensitive files are targeted.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.0

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.0

remediation

0.0

relevance

0.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

hiWeb Export Posts WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Arbitrary File Deletion

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating