The vulnerability is a missing authorization flaw that lets users bypass intended access restrictions, allowing extraction or manipulation of order export/import data. It originates from insufficient checks on user capability in the Order Export & Order Import for WooCommerce plugin, allowing an attacker who can reach the plugin functionality to view, export, or import order information. The weakness maps to CWE-862 and could compromise confidentiality of customer orders without affecting system integrity directly.

WebToffee Order Export & Order Import for WooCommerce, versions up to and including 2.6.7. The plugin is typically installed on WordPress sites running WooCommerce. Any site that has not updated beyond 2.6.7 may be vulnerable.

CVSS of 4.3 indicates moderate impact and availability of exploitation. EPSS is < 1%, meaning actual exploitation instances are currently rare. The vulnerability is not listed in CISA KEV, further indicating low exploitation probability. The attack vector is inferred to be via web requests to the plugin’s admin endpoints, assuming the attacker can authenticate with a user role that can trigger export or import operations. Without proper authorization checks, any authenticated user could exploit the flaw, though unauthenticated attacks are unlikely due to the need to reach the plugin’s protected pages.