cleantalk
Vulnerabilities and Security Researches

Order Export & Order Import for WooCommerce, CVE-2024-13921

CVE, Research URL

CVE-2024-13921

Home page URL

Security reports for Order Export & Order Import for WooCommerce

Application

Order Export & Order Import for WooCommerce

Published on
Mar 20, 2025
Research Description
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Affected versions
Min -, max 2.6.1.
Status
vulnerable
Previous vulnerability researches
Import Export For WooCommerce (CVE-2025-48144) , May 18, 2025
Import Export For WooCommerce (CVE-2024-54262) , Dec 15, 2024
Product Reviews Import Export for WooCommerce (dc9430138cab4fba554bf7cd2fbfe9859f70b894) , Jun 07, 2024
Product Reviews Import Export for WooCommerce (CVE-2022-46802) , Jun 07, 2024
Order Export & Order Import for WooCommerce (CVE-2024-13921) , Mar 21, 2025
New vulnerability
WooCommerce POS (CVE-2025-48117) , May 18, 2025
BERTHA AI. Your AI co-pilot for WordPress and Chrome (CVE-2025-48138) , May 18, 2025
SEO Flow by LupsOnline (CVE-2025-48146) , May 18, 2025
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution (CVE-2025-4101) , May 18, 2025
WP Tabs – Responsive Tabs Plugin for WordPress (CVE-2025-48134) , May 18, 2025