CVE-2025-11693

Critical

Published: 13 December 2025

Published

13 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0732 91.8th percentile

Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11693 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Web Session Cookie (T1539) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

Directly requires organizations to review, restrict, and protect publicly accessible content to prevent exposure of sensitive authentication cookies in files like cookies.txt.

IA-5 Authenticator Management good match

prevent

Mandates protection of authenticators such as authentication cookies from unauthorized disclosure and use by unauthenticated attackers.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws like the plugin vulnerability that leads to public exposure of authentication cookies.

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

The vulnerability directly exposes authentication cookies in publicly accessible cookies.txt files, facilitating theft of web session cookies (T1539) and access to unsecured credentials stored in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated…

attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'

Deeper analysisAI

CVE-2025-11693 is a sensitive information exposure vulnerability (CWE-200) affecting the Export WP Page to Static HTML & PDF plugin for WordPress in all versions up to and including 4.3.4. The issue arises from publicly exposed cookies.txt files that contain authentication cookies, which can be accessed due to improper handling during backup processes.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Exploitation occurs if a site administrator triggers a backup using a specific user role like administrator, injecting authentication cookies into the publicly accessible log file, allowing attackers to retrieve them and potentially gain unauthorized access or perform further actions.

Advisories reference a WordPress plugin trac changeset (3388166) indicating a patch, and a Wordfence threat intelligence report (ID cd28ac3c-aaef-49e3-843d-8532404703c9) detailing the vulnerability. Security practitioners should update to a patched version beyond 4.3.4 and review exposed files for remediation.