Description
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The endpoint requires a valid woe_nonce and Shop Manager-level capabilities (view_woocommerce_reports or export_woocommerce_orders), and wp_magic_quotes protection is stripped via stripslashes_deep() before processing, allowing quote and backslash characters to survive intact into the SQL context.
Published: 2026-06-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced Order Export For WooCommerce plugin suffers from an insufficiently escaped "sort_direction" parameter, allowing authenticated users with Shop Manager or higher privileges to inject SQL statements and retrieve sensitive database information. This is a classic SQL Injection flaw (CWE-89) that compromises data confidentiality. No denial of service or code execution is reported for this issue.

Affected Systems

WordPress sites running the Algolplus Advanced Order Export For WooCommerce plugin version 4.0.10 or earlier are affected. Users requiring Shop Manager or higher capabilities with a valid woe_nonce can exploit the vulnerability.

Risk and Exploitability

With a CVSS score of 4.9, the vulnerability carries a moderate risk rating. The EPSS score of <1% indicates a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Attackers would need authenticated access to a shop manager account and the ability to send requests containing a crafted sort_direction value to the vulnerable endpoint.

Generated by OpenCVE AI on June 18, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Order Export For WooCommerce plugin to a newer version that has fixed the SQL injection flaw.
  • If an upgrade is not immediately possible, limit or remove Shop Manager role permissions from users who do not need export functionality.
  • Implement additional input validation or sanitization for the sort_direction parameter to prevent malicious SQL injection attempts.

Generated by OpenCVE AI on June 18, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/admin/tabs/ajax/trait-wc-order-export-admin-tab-abstract-ajax-export.php#L13 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/class-wc-order-export-admin.php#L550 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/core/class-wc-order-export-engine.php#L378 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/core/class-wc-order-export-engine.php#L531 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/core/class-wc-order-export-engine.php#L537 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.7/classes/core/class-wc-order-export-engine.php#L649 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/admin/tabs/ajax/trait-wc-order-export-admin-tab-abstract-ajax-export.php#L13 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/class-wc-order-export-admin.php#L550 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/core/class-wc-order-export-engine.php#L378 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/core/class-wc-order-export-engine.php#L531 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/core/class-wc-order-export-engine.php#L537 cve-icon
https://plugins.trac.wordpress.org/browser/woo-order-export-lite/tags/4.0.9/classes/core/class-wc-order-export-engine.php#L649 cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3564108%40woo-order-export-lite&new=3564108%40woo-order-export-lite&sfp_email=&sfph_mail= cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/0b395777-2e2a-4dc3-9b0c-ce4c9d22d7e9?source=cve cve-icon
History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Algolplus
Algolplus advanced Order Export For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Algolplus
Algolplus advanced Order Export For Woocommerce
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The endpoint requires a valid woe_nonce and Shop Manager-level capabilities (view_woocommerce_reports or export_woocommerce_orders), and wp_magic_quotes protection is stripped via stripslashes_deep() before processing, allowing quote and backslash characters to survive intact into the SQL context.
Title Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Algolplus Advanced Order Export For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T12:43:31.312Z

Reserved: 2026-06-05T11:37:38.172Z

Link: CVE-2026-11360

cve-icon Vulnrichment

Updated: 2026-06-18T12:43:27.249Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')