Cyber Resilience

CVE-2025-11693

Critical

Published: 13 December 2025

Published
13 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0510 90.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11693 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).

Deeper analysis

The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to sensitive information exposure in all versions through 4.3.4. The flaw stems from publicly accessible cookies.txt files that can contain authentication cookies, assigned CWE-200 and rated 9.8 under CVSS 3.1.

Unauthenticated attackers can retrieve these cookies when they have been injected into log files after a site administrator initiates a backup operation under a privileged role such as administrator, enabling session hijacking and full site compromise.

The referenced WordPress plugin changeset documents the fix applied to the repository, while the Wordfence advisory supplies threat intelligence and confirms the need for an update to eliminate exposure of the cookies.txt files.

EPSS for CVE-2025-11693 rose from a low starting value to a peak of 0.1677 on 2026-04-24 before receding to the current 0.0510, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated…

more

attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The vulnerability directly exposes authentication cookies in publicly accessible cookies.txt files, facilitating theft of web session cookies (T1539) and access to unsecured credentials stored in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6346Shared CWE-200
CVE-2025-53624Shared CWE-200
CVE-2026-29779Shared CWE-200
CVE-2026-6347Shared CWE-200
CVE-2026-0789Shared CWE-200
CVE-2026-44738Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2025-25729Shared CWE-200
CVE-2024-13911Shared CWE-200
CVE-2024-52975Shared CWE-200

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to review, restrict, and protect publicly accessible content to prevent exposure of sensitive authentication cookies in files like cookies.txt.

prevent

Mandates protection of authenticators such as authentication cookies from unauthorized disclosure and use by unauthenticated attackers.

prevent

Requires timely identification, reporting, and remediation of flaws like the plugin vulnerability that leads to public exposure of authentication cookies.

References