CVE-2026-7558 Overview
CVE-2026-7558 is a missing authorization vulnerability [CWE-862] in the Age Verification & Identity Verification by Token of Trust plugin for WordPress. All versions up to and including 4.0.2 are affected. The handle_export_table() function is registered on the WordPress init hook, which executes for every request without any capability or nonce check. Unauthenticated attackers can trigger a CSV export of WooCommerce donation data by appending the tot_export_table GET parameter to any page request. The exported data includes order dates, order IDs, charitable donation amounts, and admin-only order edit URLs.
Critical Impact
Unauthenticated remote attackers can exfiltrate sensitive WooCommerce donation records from any vulnerable WordPress site by sending a single crafted GET request.
Affected Products
- Age Verification & Identity Verification by Token of Trust plugin for WordPress
- All versions up to and including 4.0.2
- Sites running the plugin's WooCommerce donations integration
Discovery Timeline
- 2026-07-09 - CVE-2026-7558 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-7558
Vulnerability Analysis
The vulnerability resides in the plugin's WooCommerce donations integration, specifically in class-donations.php. The handle_export_table() function is hooked into the WordPress init action, which fires on every HTTP request to the site. The function inspects the tot_export_table GET parameter and, when set to a numeric value between 0 and 3, streams a CSV export of donation records to the requester.
Because init runs before authentication context restrictions can be applied by application code, and the handler performs no current_user_can() capability check or nonce verification, any anonymous visitor can trigger the export. The response includes order dates, order IDs, donation amounts, and administrative order edit URLs that should be restricted to shop managers.
Root Cause
The root cause is a missing authorization check [CWE-862]. The plugin registers a sensitive data export handler on a public request hook without validating the caller's identity or permissions. WordPress does not automatically enforce access control on init-hooked callbacks, so the developer must implement capability checks explicitly.
Attack Vector
Exploitation requires no authentication, no user interaction, and no special network position. An attacker sends an HTTP GET request to any URL on the target site with the tot_export_table query parameter set to a numeric value between 0 and 3. The server responds with a CSV file containing the donation records. The technique is trivially automatable against exposed WordPress instances. Refer to the Wordfence Vulnerability Report and the vulnerable code in class-donations.php for the underlying implementation details.
Detection Methods for CVE-2026-7558
Indicators of Compromise
- HTTP GET requests to any site URL containing the query parameter tot_export_table with values 0, 1, 2, or 3.
- Outbound responses with Content-Type: text/csv or Content-Disposition: attachment originating from unauthenticated sessions.
- Access log entries from unknown IP addresses immediately followed by CSV downloads containing donation data.
Detection Strategies
- Search web server access logs for the string tot_export_table= in query parameters across all URIs, not just plugin-specific endpoints.
- Alert on any 200 response to unauthenticated requests carrying the tot_export_table parameter.
- Correlate anonymous CSV download responses with subsequent scraping or reconnaissance activity from the same source IP.
Monitoring Recommendations
- Enable verbose WordPress request logging or a web application firewall with request-body and query-string capture.
- Monitor for repeated iteration over the numeric values 0 through 3 in the tot_export_table parameter from a single client.
- Review WooCommerce order data access patterns for unusual off-hours or high-volume exports.
How to Mitigate CVE-2026-7558
Immediate Actions Required
- Update the Age Verification & Identity Verification by Token of Trust plugin to a version newer than 4.0.2 that addresses this issue.
- If an update is not immediately available, deactivate the plugin on production sites processing donation data.
- Block requests containing the tot_export_table query parameter at the web application firewall or reverse proxy.
- Audit web server logs for prior exploitation and notify affected donors if records were exfiltrated.
Patch Information
The fix is tracked in WordPress plugin change set 3539532. Site administrators should install the latest release of the Token of Trust plugin through the WordPress plugin manager or the vendor's distribution channel.
Workarounds
- Add a WAF rule to deny any request where the query string matches tot_export_table=[0-3].
- Restrict access to the WordPress site behind authentication or IP allow-listing until the plugin is patched.
- Temporarily disable the WooCommerce donations integration within the plugin configuration if a granular option exists.
# Example ModSecurity rule to block exploitation attempts
SecRule ARGS:tot_export_table "@rx ^[0-3]$" \
"id:1026075580,phase:1,deny,status:403,log,\
msg:'CVE-2026-7558 Token of Trust unauthorized CSV export attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

