Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Published: 2026-01-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An injection flaw exists in the vanquish WooCommerce Orders & Customers Exporter plugin, where special SQL keywords are not properly escaped. A malicious actor can insert arbitrary SQL fragments via exposed input, enabling the execution of unintended SQL commands. This could allow the attacker to read, modify, or delete stored data, leading to sensitive information exposure, configuration tampering, or service disruption.

Affected Systems

The vulnerability affects the vanquish WooCommerce Orders & Customers Exporter plugin, versions up to and including 5.4. All installations of this plugin within that range are at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the flaw is not listed in CISA’s KEV catalogue. Likely, the attack vector involves a web request to the plugin’s export endpoint, which may be accessible to authenticated users or administrators. Given the nature of SQL injection, a remote attacker with sufficient privileges could use the flaw to exfiltrate data or alter the database.

Generated by OpenCVE AI on May 2, 2026 at 00:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Orders & Customers Exporter plugin to a version newer than 5.4, where the injection issue has been fixed.
  • Until the upgrade can be applied, remove or lock the export functionality from public access and restrict it to trusted administrators only.
  • Review the plugin’s database interactions to ensure all queries use parameterized statements or proper escaping, following best practices for preventing SQL injection (CWE‑89).

Generated by OpenCVE AI on May 2, 2026 at 00:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Vanquish
Vanquish woocommerce Orders Customers Exporter
Wordpress
Wordpress wordpress
Vendors & Products Vanquish
Vanquish woocommerce Orders Customers Exporter
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Title WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Vanquish Woocommerce Orders Customers Exporter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:05.429Z

Reserved: 2025-01-07T21:03:35.333Z

Link: CVE-2025-22713

cve-icon Vulnrichment

Updated: 2026-01-08T14:59:29.492Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:47.850

Modified: 2026-04-27T19:16:11.997

Link: CVE-2025-22713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses