Plattform
wordpress
Komponente
order-import-export-for-woocommerce
Behoben in
2.6.1
CVE-2024-13923 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Order Export & Order Import for WooCommerce plugin. This flaw allows authenticated attackers with administrator privileges to initiate arbitrary web requests from the plugin, potentially exposing sensitive internal resources. The vulnerability impacts versions of the plugin up to and including 2.6.0. A patch is expected to resolve this issue.
The SSRF vulnerability in Order Export & Order Import for WooCommerce allows an authenticated administrator to craft malicious requests that target internal services. An attacker could leverage this to query sensitive data, modify configurations, or even gain access to other internal systems that are not directly exposed to the internet. The potential blast radius extends to any internal service accessible from the WordPress server. While requiring administrator privileges, this vulnerability represents a significant risk, particularly in environments with shared hosting or where administrator accounts are poorly secured. Exploitation could lead to data breaches, system compromise, and disruption of business operations.
CVE-2024-13923 was publicly disclosed on 2025-03-20. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. Given the ease of exploiting SSRF vulnerabilities, active exploitation is possible.
WordPress websites utilizing the Order Export & Order Import for WooCommerce plugin, particularly those with administrator accounts that have broad network access or are susceptible to credential compromise, are at risk. Shared hosting environments where multiple websites share the same server infrastructure are also at increased risk, as a successful exploitation on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'validate_file(' /var/www/html/wp-content/plugins/order-export-order-import-for-woocommerce/*• generic web:
curl -I <wordpress_site>/wp-content/plugins/order-export-order-import-for-woocommerce/validate_file.php | grep Serverdisclosure
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-13923 is to upgrade the Order Export & Order Import for WooCommerce plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to internal IP addresses or known sensitive endpoints. Carefully review and restrict the plugin's access to internal resources. After upgrading, confirm the fix by attempting to trigger a request to an internal service through the plugin's functionality and verifying that the request is blocked or fails as expected.
Aktualisieren Sie das Order Export & Order Import for WooCommerce Plugin auf die neueste verfügbare Version. Die SSRF (Server-Side Request Forgery) Schwachstelle wurde in Versionen nach 2.6.0 behoben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13923 is a Server-Side Request Forgery vulnerability affecting versions of the Order Export & Order Import for WooCommerce plugin for WordPress up to and including 2.6.0, allowing authenticated administrators to make arbitrary web requests.
You are affected if you are using the Order Export & Order Import for WooCommerce plugin version 2.6.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Order Export & Order Import for WooCommerce plugin to the latest available version as soon as a patch is released. Until then, implement WAF rules to restrict outbound requests.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it a likely target, and exploitation is possible.
Refer to the plugin developer's website and WordPress plugin repository for the official advisory and patch release information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.