HIGHCVE-2024-13923CVSS 7.6

CVE-2024-13923: SSRF in Order Export & Order Import for WooCommerce

Platform

wordpress

Component

order-import-export-for-woocommerce

Fixed in

2.6.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2024-13923 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Order Export & Order Import for WooCommerce plugin. This flaw allows authenticated attackers with administrator privileges to initiate arbitrary web requests from the plugin, potentially exposing sensitive internal resources. The vulnerability impacts versions of the plugin up to and including 2.6.0. A patch is expected to resolve this issue.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SSRF vulnerability in Order Export & Order Import for WooCommerce allows an authenticated administrator to craft malicious requests that target internal services. An attacker could leverage this to query sensitive data, modify configurations, or even gain access to other internal systems that are not directly exposed to the internet. The potential blast radius extends to any internal service accessible from the WordPress server. While requiring administrator privileges, this vulnerability represents a significant risk, particularly in environments with shared hosting or where administrator accounts are poorly secured. Exploitation could lead to data breaches, system compromise, and disruption of business operations.

Exploitation Context

CVE-2024-13923 was publicly disclosed on 2025-03-20. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. Given the ease of exploiting SSRF vulnerabilities, active exploitation is possible.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.13% (33% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentorder-import-export-for-woocommerce

Vendorwebtoffee

Affected rangeFixed in

* – 2.6.02.6.1

Package Information

Active installs: 60KKnown
Plugin rating: 4.7
Requires WordPress: 3.0+
Compatible up to: 6.9.4
Requires PHP: 5.6+

Homepage

Weakness Classification (CWE)

CWE-918

Timeline

Reserved2025-03-04
Published2025-03-20
EPSS updated2026-04-02

Unpatched — 430 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-13923 is to upgrade the Order Export & Order Import for WooCommerce plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to internal IP addresses or known sensitive endpoints. Carefully review and restrict the plugin's access to internal resources. After upgrading, confirm the fix by attempting to trigger a request to an internal service through the plugin's functionality and verifying that the request is blocked or fails as expected.

How to fix

Update the Order Export & Order Import for WooCommerce plugin to the latest available version. The Server-Side Request Forgery (SSRF) vulnerability has been fixed in versions later than 2.6.0.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-13923 — SSRF in Order Export & Order Import for WooCommerce?

CVE-2024-13923 is a Server-Side Request Forgery vulnerability affecting versions of the Order Export & Order Import for WooCommerce plugin for WordPress up to and including 2.6.0, allowing authenticated administrators to make arbitrary web requests.

Am I affected by CVE-2024-13923 in Order Export & Order Import for WooCommerce?

You are affected if you are using the Order Export & Order Import for WooCommerce plugin version 2.6.0 or earlier. Check your plugin version and upgrade immediately.

How do I fix CVE-2024-13923 in Order Export & Order Import for WooCommerce?

Upgrade the Order Export & Order Import for WooCommerce plugin to the latest available version as soon as a patch is released. Until then, implement WAF rules to restrict outbound requests.

Is CVE-2024-13923 being actively exploited?

While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it a likely target, and exploitation is possible.

Where can I find the official Order Export & Order Import for WooCommerce advisory for CVE-2024-13923?

Refer to the plugin developer's website and WordPress plugin repository for the official advisory and patch release information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs