WordPress Plugin Vulnerabilities

Order Export & Order Import for WooCommerce < 2.6.8 - Missing Authorization

Description

The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
order-import-export-for-woocommerce
Fixed in 2.6.8

References

CVE
CVE-2025-64382
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/164e9694-3cfd-4cac-8376-deabb1738abf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Legion Hunter
Verified
No
WPVDB ID
6ff3561c-b633-4d53-8094-dabb25a7ba92

Timeline

Publicly Published
2025-10-30 (about 7 months ago)
Added
2025-11-17 (about 6 months ago)
Last Updated
2025-11-17 (about 6 months ago)

Other

Published
Title
Published
2023-01-24
Title
Intuitive Custom Post Order < 3.1.4 - Subscriber+ Arbitrary Menu Order Update
Published
2025-10-30
Title
ERI File Library < 1.1.1 - Missing Authorization to Unauthenticated Protected File Download
Published
2022-09-20
Title
Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation
Published
2023-02-14
Title
WP VR < 8.2.8 - Subscriber+ Settings Update
Published
2025-09-08
Title
Categorify <= 1.0.7.5 - Missing Authorization