Platform
wordpress
Component
ni-woocommerce-order-export
Fixed in
3.1.7
3.1.7
CVE-2026-4140 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ni WooCommerce Order Export plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings. The vulnerability impacts versions up to and including 3.1.6. A fix is available in a later version of the plugin.
An attacker exploiting this CSRF vulnerability can modify the Ni WooCommerce Order Export plugin's settings without authentication. This could lead to unauthorized data exports, altered export configurations, or even the injection of malicious code if the plugin settings control export behavior. The potential impact extends to sensitive customer data contained within WooCommerce orders, as the attacker could manipulate export destinations or filtering criteria. Successful exploitation could compromise the integrity and confidentiality of order data, potentially leading to data breaches and regulatory compliance issues. While the plugin itself doesn't directly handle sensitive data, its configuration controls how that data is processed and exported.
CVE-2026-4140 was published on 2026-04-21. There is no indication of this vulnerability being actively exploited in the wild. The EPSS score is likely Low, given the lack of public exploits and the relatively straightforward mitigation of upgrading the plugin. No known KEV listing. Check the WordPress plugin repository and security mailing lists for updates.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4140 is to upgrade the Ni WooCommerce Order Export plugin to a version that includes the necessary nonce validation fixes. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the niorderexportaction() AJAX handler that lack a valid CSRF token. Additionally, restrict access to the plugin's settings page using WordPress's role-based access control features to limit who can modify the configuration. After upgrading, confirm the fix by attempting a CSRF attack against the niorderexportaction() endpoint using a forged request and verifying that the request is rejected due to nonce validation.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4140 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ni WooCommerce Order Export plugin for WordPress versions up to 3.1.6. It allows attackers to modify plugin settings without authentication.
You are affected if you are using the Ni WooCommerce Order Export plugin in WordPress and are running version 3.1.6 or earlier. Upgrade to a patched version to resolve the issue.
The recommended fix is to upgrade the Ni WooCommerce Order Export plugin to a version that includes nonce validation. As a temporary workaround, implement a WAF rule to block suspicious AJAX requests.
There is currently no public evidence of CVE-2026-4140 being actively exploited in the wild, but it's crucial to apply the fix to prevent potential future attacks.
Check the Ni WooCommerce Order Export plugin page on the WordPress plugin repository for updates and security advisories related to CVE-2026-4140.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.