Platform
wordpress
Component
ni-woocommerce-order-export
Opgelost in
3.1.7
3.1.7
CVE-2026-4140 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ni WooCommerce Order Export plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings. The vulnerability impacts versions up to and including 3.1.6. A fix is available in a later version of the plugin.
An attacker exploiting this CSRF vulnerability can modify the Ni WooCommerce Order Export plugin's settings without authentication. This could lead to unauthorized data exports, altered export configurations, or even the injection of malicious code if the plugin settings control export behavior. The potential impact extends to sensitive customer data contained within WooCommerce orders, as the attacker could manipulate export destinations or filtering criteria. Successful exploitation could compromise the integrity and confidentiality of order data, potentially leading to data breaches and regulatory compliance issues. While the plugin itself doesn't directly handle sensitive data, its configuration controls how that data is processed and exported.
CVE-2026-4140 was published on 2026-04-21. There is no indication of this vulnerability being actively exploited in the wild. The EPSS score is likely Low, given the lack of public exploits and the relatively straightforward mitigation of upgrading the plugin. No known KEV listing. Check the WordPress plugin repository and security mailing lists for updates.
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4140 is to upgrade the Ni WooCommerce Order Export plugin to a version that includes the necessary nonce validation fixes. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the niorderexportaction() AJAX handler that lack a valid CSRF token. Additionally, restrict access to the plugin's settings page using WordPress's role-based access control features to limit who can modify the configuration. After upgrading, confirm the fix by attempting a CSRF attack against the niorderexportaction() endpoint using a forged request and verifying that the request is rejected due to nonce validation.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid in detail en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4140 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ni WooCommerce Order Export plugin for WordPress versions up to 3.1.6. It allows attackers to modify plugin settings without authentication.
You are affected if you are using the Ni WooCommerce Order Export plugin in WordPress and are running version 3.1.6 or earlier. Upgrade to a patched version to resolve the issue.
The recommended fix is to upgrade the Ni WooCommerce Order Export plugin to a version that includes nonce validation. As a temporary workaround, implement a WAF rule to block suspicious AJAX requests.
There is currently no public evidence of CVE-2026-4140 being actively exploited in the wild, but it's crucial to apply the fix to prevent potential future attacks.
Check the Ni WooCommerce Order Export plugin page on the WordPress plugin repository for updates and security advisories related to CVE-2026-4140.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.