{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4140", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T15:32:40.610Z", "datePublished": "2026-04-22T07:45:33.627Z", "dateUpdated": "2026-04-22T07:45:33.627Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:33.627Z"}, "affected": [{"vendor": "anzia", "product": "Ni WooCommerce Order Export", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "title": "Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d62c49c-3a33-4865-abcc-22d8e38ac198?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-setting.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-setting.php#L59"}, {"url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-export.php#L136"}, {"url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-export.php#L136"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-04-21T19:05:33.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "id": "CVE-2026-4140", "lastModified": "2026-04-22T09:16:24.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:24.857", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-export.php#L136"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/tags/3.1.6/include/ni-order-setting.php#L59"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-export.php#L136"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ni-woocommerce-order-export/trunk/include/ni-order-setting.php#L59"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d62c49c-3a33-4865-abcc-22d8e38ac198?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:53:55.987810+00:00", "value": {"mitigation_remediation": ["Upgrade the Ni WooCommerce Order Export plugin to a release newer than 3.1.6, which adds nonce validation and capability checks to the AJAX handler.", "If an upgrade cannot be performed immediately, temporarily disable the ni_order_export_action endpoint or remove the associated AJAX hook to prevent unintended configuration changes until the plugin is patched.", "Enforce strong permissions on WordPress administrator accounts and consider using a web application firewall or security plugin to block unauthenticated requests to the affected action."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated modification of plugin settings via CSRF"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Ni WooCommerce Order Export plugin, version\u202f3.1.6 and earlier, developed by anzia. The attack affects any WordPress installation that has the plugin installed and an administrator who can be lured into visiting a crafted URL.", "description_and_impact": "The vulnerability resides in the AJAX handler ni_order_export_action() of the Ni WooCommerce Order Export plugin. A missing nonce and lack of capability checks allow any user to send a forged request, which is then used to update the plugin\u2019s options using update_option without authentication. An attacker can change the plugin\u2019s settings, potentially altering export configuration. This is a classic Cross\u2011Site Request Forgery flaw (CWE\u2011352).", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is considered moderate. No EPSS data is available, and it is not listed in the CISA KEV catalog. The attack requires the attacker to trick a site administrator or other privileged user into clicking a link that triggers the ni_order_export_action in the background, but no privileged credentials are needed to submit the request. If many sites use the affected plugin and administrators are social\u2011engineered, the risk of abuse is non\u2011negligible."}}}}, "created": "2026-04-22T10:00:10.251089+00:00", "updated": "2026-04-22T10:00:10.251100+00:00", "vendors": []}