Description
Missing Authorization vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Orders & Customers Exporter plugin contains a missing authorization check that allows any authenticated user to trigger the export of all orders and customer data, leading to potential leakage of sensitive customer information. This broken access control confines the vulnerability to CWE-862 and can compromise confidentiality by exposing personal and transactional data.

Affected Systems

The vulnerability affects the WooCommerce Orders & Customers Exporter plugin by vanquish, all versions up to and including 5.4, across all builds from the earliest release to 5.4. Any WordPress site running an affected version is therefore exposed until a version that includes the authorization fix is deployed.

Risk and Exploitability

With a CVSS score of 6.5, the issue has a moderate severity. The EPSS score of less than 1% suggests a low probability of immediate exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote exploitation via the plugin’s export endpoint, potentially accessible to users with any authentication level, enabling an adversary to extract customer data without elevated privileges.

Generated by OpenCVE AI on April 30, 2026 at 05:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Orders & Customers Exporter plugin to the latest version that fixes the missing authorization check.
  • If an upgrade is not yet available, disable the export feature or restrict access to the plugin’s export endpoint to administrators only.
  • Implement routine access‑control audits and monitor export logs for unauthorized activity.

Generated by OpenCVE AI on April 30, 2026 at 05:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Vanquish
Vanquish woocommerce Orders Customers Exporter
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Vanquish
Vanquish woocommerce Orders Customers Exporter
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Title WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Vanquish Woocommerce Orders Customers Exporter
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.490Z

Reserved: 2025-06-30T10:46:02.700Z

Link: CVE-2025-53424

cve-icon Vulnrichment

Updated: 2025-10-23T13:53:11.988Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:50.727

Modified: 2026-04-27T18:16:21.820

Link: CVE-2025-53424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses