Token of Trust WordPress Plugin WooCommerce Donation Data Exposure Vulnerability
The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 4.0.2. This is due to the handle_export_table() function being registered on the WordPress 'init' hook, which fires for all requests, including those from unauthenticated visitors, without any capability check. This makes it possible for unauthenticated attackers to download a CSV file containing sensitive WooCommerce donation data, including order dates, order IDs, charitable donation amounts, and admin-only order edit URLs, simply by visiting any page on the site with the 'tot_export_table' GET parameter set to a numeric value (0–3).
Quick answer
Age Verification & Identity Verification by Token of Trust should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Age Verification & Identity Verification by Token of Trust up to and including 4.0.2
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Token of Trust is affected by CVE-2026-7558. Versions up to 4.0.2 can allow unauthenticated CSV export of WooCommerce donation data through a GET parameter, so patch and review whether order or donation data was exposed.
- Inventory WordPress and WooCommerce sites using Token of Trust.
- Update Token of Trust beyond 4.0.2 when a fixed release is available.
- Block the tot_export_table parameter at the edge or WAF until the plugin is patched.
- Review web logs for requests containing tot_export_table values 0 through 3.
- Assess whether exposed CSV data contains regulated, donor, or order information requiring notification workflows.
- Restrict unauthenticated export functionality and verify all export actions require explicit capabilities.
- Clear caches and remove any accidentally cached CSV responses.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Token of Trust is no longer version 4.0.2 or older.
- Request the export parameter unauthenticated in staging and confirm no CSV is returned.
- Confirm legitimate administrator exports still require authentication and capability checks.
- Review logs after mitigation for continued export attempts.
- Run a Fixnx scan and confirm public WooCommerce exposure has been rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-7558?
Age Verification & Identity Verification by Token of Trust versions listed as affected should be reviewed: Age Verification & Identity Verification by Token of Trust up to and including 4.0.2.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
