CVE-2026-24574 Recorp CVE debrief

Who should care

WordPress site administrators using the Export WP Page to Static HTML/CSS plugin; security teams managing WordPress installations; developers maintaining WordPress plugins with administrative functionality

Technical summary

The Export WP Page to Static HTML/CSS WordPress plugin contains a Cross-Site Request Forgery vulnerability in versions through 6.0.0. The plugin fails to properly validate or require nonces for state-changing requests, allowing attackers to forge requests that execute actions in the context of an authenticated administrator. The attack requires user interaction (e.g., clicking a malicious link) but can result in high integrity impact such as unauthorized configuration changes or data manipulation. The vulnerability is exploitable over the network with low attack complexity.

Defensive priority

medium

Recommended defensive actions

• Update Export WP Page to Static HTML/CSS WordPress plugin to a version newer than 6.0.0 when available
• Implement additional CSRF protections such as SameSite cookie attributes and custom request headers for administrative functions
• Review WordPress admin user sessions for unexpected actions around the plugin's export functionality
• Monitor for plugin security updates from the vendor
• Consider implementing Web Application Firewall (WAF) rules to detect and block suspicious cross-origin requests to plugin endpoints

Evidence notes

The vulnerability affects the Export WP Page to Static HTML/CSS WordPress plugin versions through 6.0.0. The source indicates this was reported by Patchstack ([email protected]). The NVD status is currently 'Deferred'. No known exploitation in the wild or ransomware campaign use has been identified.

Official resources