CVE-2025-11693
Published: 13 December 2025
Summary
CVE-2025-11693 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).
Deeper analysis
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to sensitive information exposure in all versions through 4.3.4. The flaw stems from publicly accessible cookies.txt files that can contain authentication cookies, assigned CWE-200 and rated 9.8 under CVSS 3.1.
Unauthenticated attackers can retrieve these cookies when they have been injected into log files after a site administrator initiates a backup operation under a privileged role such as administrator, enabling session hijacking and full site compromise.
The referenced WordPress plugin changeset documents the fix applied to the repository, while the Wordfence advisory supplies threat intelligence and confirms the need for an update to eliminate exposure of the cookies.txt files.
EPSS for CVE-2025-11693 rose from a low starting value to a peak of 0.1677 on 2026-04-24 before receding to the current 0.0510, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-203201
Vulnerability details
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated…
more
attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly exposes authentication cookies in publicly accessible cookies.txt files, facilitating theft of web session cookies (T1539) and access to unsecured credentials stored in files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires organizations to review, restrict, and protect publicly accessible content to prevent exposure of sensitive authentication cookies in files like cookies.txt.
Mandates protection of authenticators such as authentication cookies from unauthorized disclosure and use by unauthenticated attackers.
Requires timely identification, reporting, and remediation of flaws like the plugin vulnerability that leads to public exposure of authentication cookies.