The plugin exports a CSV file containing sensitive user data.
The generated files are stored in a public directory with a predictable filename based on a Unix timestamp. CSV files are discoverable either through enumeration or path traversal.
Export Users to CSV does not provide visibility over exported CSV files. Generated CSV files are stored indefinitely.
2019-07-23: Vulnerability found
2019-07-23: Reported to vendor
2019-07-23: Vendor responded
2019-08-09: Reported to WordPress Plugin Review Team
2019-08-09: WordPress Plugin Review Team responded
2019-08-09: Plugin closed on the WordPress plugin repository
2019-09-19: Vendor released a fixed version (1.4)
2019-10-07: Public disclosure