Platform
wordpress
Component
order-import-export-for-woocommerce
Fixed in
2.6.1
CVE-2024-13923 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Order Export & Order Import for WooCommerce plugin. This flaw allows authenticated attackers with administrator privileges to initiate arbitrary web requests from the plugin, potentially exposing sensitive internal resources. The vulnerability impacts versions of the plugin up to and including 2.6.0. A patch is expected to resolve this issue.
The SSRF vulnerability in Order Export & Order Import for WooCommerce allows an authenticated administrator to craft malicious requests that target internal services. An attacker could leverage this to query sensitive data, modify configurations, or even gain access to other internal systems that are not directly exposed to the internet. The potential blast radius extends to any internal service accessible from the WordPress server. While requiring administrator privileges, this vulnerability represents a significant risk, particularly in environments with shared hosting or where administrator accounts are poorly secured. Exploitation could lead to data breaches, system compromise, and disruption of business operations.
CVE-2024-13923 was publicly disclosed on 2025-03-20. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. Given the ease of exploiting SSRF vulnerabilities, active exploitation is possible.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13923 is to upgrade the Order Export & Order Import for WooCommerce plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting outbound network access from the WordPress server using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to internal IP addresses or known sensitive endpoints. Carefully review and restrict the plugin's access to internal resources. After upgrading, confirm the fix by attempting to trigger a request to an internal service through the plugin's functionality and verifying that the request is blocked or fails as expected.
Update the Order Export & Order Import for WooCommerce plugin to the latest available version. The Server-Side Request Forgery (SSRF) vulnerability has been fixed in versions later than 2.6.0.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13923 is a Server-Side Request Forgery vulnerability affecting versions of the Order Export & Order Import for WooCommerce plugin for WordPress up to and including 2.6.0, allowing authenticated administrators to make arbitrary web requests.
You are affected if you are using the Order Export & Order Import for WooCommerce plugin version 2.6.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Order Export & Order Import for WooCommerce plugin to the latest available version as soon as a patch is released. Until then, implement WAF rules to restrict outbound requests.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it a likely target, and exploitation is possible.
Refer to the plugin developer's website and WordPress plugin repository for the official advisory and patch release information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.