Description
The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated modification of plugin settings via CSRF
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the AJAX handler ni_order_export_action() of the Ni WooCommerce Order Export plugin. A missing nonce and lack of capability checks allow any user to send a forged request, which is then used to update the plugin’s options using update_option without authentication. An attacker can change the plugin’s settings, potentially altering export configuration. This is a classic Cross‑Site Request Forgery flaw (CWE‑352).

Affected Systems

WordPress sites running the Ni WooCommerce Order Export plugin, version 3.1.6 and earlier, developed by anzia. The attack affects any WordPress installation that has the plugin installed and an administrator who can be lured into visiting a crafted URL.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate. No EPSS data is available, and it is not listed in the CISA KEV catalog. The attack requires the attacker to trick a site administrator or other privileged user into clicking a link that triggers the ni_order_export_action in the background, but no privileged credentials are needed to submit the request. If many sites use the affected plugin and administrators are social‑engineered, the risk of abuse is non‑negligible.

Generated by OpenCVE AI on April 22, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ni WooCommerce Order Export plugin to a release newer than 3.1.6, which adds nonce validation and capability checks to the AJAX handler.
  • If an upgrade cannot be performed immediately, temporarily disable the ni_order_export_action endpoint or remove the associated AJAX hook to prevent unintended configuration changes until the plugin is patched.
  • Enforce strong permissions on WordPress administrator accounts and consider using a web application firewall or security plugin to block unauthenticated requests to the affected action.

Generated by OpenCVE AI on April 22, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Anzia
Anzia ni Woocommerce Order Export
Wordpress
Wordpress wordpress
Vendors & Products Anzia
Anzia ni Woocommerce Order Export
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Anzia Ni Woocommerce Order Export
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:14:09.487Z

Reserved: 2026-03-13T15:32:40.610Z

Link: CVE-2026-4140

cve-icon Vulnrichment

Updated: 2026-04-22T12:13:51.483Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:24.857

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:15Z

Weaknesses