Skip to main content

WooCommerce Order Export CVE-2026-11360

| EUVDEUVD-2026-37844 MEDIUM
SQL Injection (CWE-89)
2026-06-18 Wordfence GHSA-jjw6-h3w9-jfw6
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Network-reachable endpoint requires active shop manager session and nonce (PR:H); no complexity beyond obtaining credentials (AC:L); read-only extraction means I:N and A:N.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:20 vuln.today
CVE Published
Jun 18, 2026 - 05:34 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The endpoint requires a valid woe_nonce and Shop Manager-level capabilities (view_woocommerce_reports or export_woocommerce_orders), and wp_magic_quotes protection is stripped via stripslashes_deep() before processing, allowing quote and backslash characters to survive intact into the SQL context.

AnalysisAI

SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain shop manager credentials
Delivery
Authenticate and retrieve valid woe_nonce
Exploit
Craft malicious sort_direction payload with appended SQL
Install
POST to WooCommerce export AJAX endpoint
C2
Plugin calls stripslashes_deep(), neutralizing magic quotes defense
Execute
Injected SQL executes in ORDER BY context
Impact
Sensitive database rows returned in export response

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concurrent conditions: (1) a valid authenticated WordPress session with shop manager-level role or higher, specifically possessing the 'view_woocommerce_reports' or 'export_woocommerce_orders' capability; (2) a valid woe_nonce CSRF token obtainable only from within an active authenticated session; (3) the Advanced Order Export For WooCommerce plugin installed and active at version 4.0.10 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.9 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the realistic threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid shop manager credentials - whether through phishing, credential stuffing, or a compromised shared account - authenticates to the WordPress admin panel, retrieves a valid woe_nonce token from the export page, and submits a crafted POST request to the export AJAX endpoint with a malicious 'sort_direction' value such as 'ASC UNION SELECT user_pass,user_login,1 FROM wp_users-- -'. Because stripslashes_deep() has already removed WordPress magic quotes protection before the value reaches the SQL query construction in class-wc-order-export-engine.php, the injected SQL executes and returns hashed WordPress user credentials or other sensitive table data within the export response. …
Remediation Update the Advanced Order Export For WooCommerce plugin to a version beyond 4.0.10 as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy