CVE-2021-27349

Vulnerability

Advanced Order Export for WooCommerce before version 3.1.8 contains a stored cross-site scripting (XSS) vulnerability [1][2]. The plugin exports order data to formats like CSV, XML, and HTML without proper sanitization of input fields, allowing attackers to inject malicious scripts that are executed when exported data is viewed [1].

Exploitation

An attacker with access to add or modify order data (e.g., via WooCommerce order fields) can inject a crafted payload containing JavaScript. When an administrator or user exports orders using the plugin and views the output file (especially HTML format), the script executes in the context of the victim's browser [1]. No authentication other than being able to edit orders or inject custom fields is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the exported data. This can lead to theft of session cookies, redirects to malicious sites, or modification of page content. The attack scope is within the WordPress admin area or wherever the export is displayed [1].

Mitigation

Upgrade to Advanced Order Export for WooCommerce version 3.1.8 or later. The fix was released with version 3.1.8 [1]. As of the latest update (version 4.0.7 [2]), the vulnerability is resolved. No known workarounds are documented; updating is the recommended action.