WordPress Advanced Order Export For WooCommerce plugin <= 3.3.2 - Cross-Site Request Forgery (CSRF) vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Advanced Order Export For WooCommerce plugin for WordPress, versions 3.3.2 and earlier. The plugin fails to properly validate or enforce a nonce on the export download action, allowing an attacker to forge requests that trigger an export file download without the victim's consent [1]. The vulnerability is present in the export functionality accessible to authenticated administrators.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or hosting a page that, when visited by a logged-in WordPress administrator, automatically submits a forged request to the plugin's export endpoint. The attacker does not need any authentication themselves; they only need to trick an authenticated admin into performing the action (e.g., via social engineering or by embedding the request in a third-party site). The victim must have the plugin installed and be logged into WordPress with sufficient privileges to access the export feature.

Impact

Successful exploitation forces the victim's browser to download an export file containing WooCommerce order data. This can lead to unauthorized disclosure of sensitive information such as customer details, order items, and payment data. The attacker gains access to the exported data if they can intercept the download or if the file is stored in a predictable location. The impact is limited to information disclosure; no direct code execution or privilege escalation is achieved.

Mitigation

The vulnerability is fixed in version 3.3.3 and later releases. Users should update the Advanced Order Export For WooCommerce plugin to the latest version (4.0.7 as of the reference date) [1]. No workarounds are documented; updating is the recommended mitigation. The plugin is actively maintained, and no EOL status has been announced.