Vulnerabilities and security researches forni-woocommerce-order-export ni-woocommerce-order-export

Dec 15, 2024

CVE, Research URL: CVE-2024-54231
Home page URL: Security reports for Ni WooCommerce Order Export
Application: Ni WooCommerce Order Export
Date: Dec 13, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anzia Ni WooCommerce Order Export allows Reflected XSS.This issue affects Ni WooCommerce Order Export: from n/a through 3.1.6.
Affected versions: max 3.1.6.
Status: vulnerable

Apr 24, 2026

CVE, Research URL: CVE-2026-4140
Home page URL: Security reports for Ni WooCommerce Order Export
Application: Ni WooCommerce Order Export
Date: Apr 22, 2026
Research Description: The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions: max 3.1.6.
Status: vulnerable