WP-Safety

Order Export & Order Import for WooCommerce Security & Risk Analysis

wordpress.org/plugins/order-import-export-for-woocommerce

The best order export import plugin for WooCommerce. Easily import and export WooCommerce orders and WooCommerce coupons using CSV.

60K active installs v2.7.2 PHP 5.6+ WP 3.0+ Updated Mar 10, 2026
advanced-order-exportcoupon-import-exportwoocommerce-export-orderswoocommerce-import-orderswoocommerce-order-import-export
92
A · Safe
CVEs total7
Unpatched0
Last CVEOct 30, 2025
Plugin page Download
Safety Verdict

Is Order Export & Order Import for WooCommerce Safe to Use in 2026?

Generally Safe

Score 92/100

Order Export & Order Import for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

7 known CVEsLast CVE: Oct 30, 2025Updated 2mo ago
Risk Assessment

The plugin "order-import-export-for-woocommerce" v2.7.2 exhibits a mixed security posture. While it demonstrates good practices in SQL query sanitization and output escaping, and has no currently unpatched vulnerabilities, several areas raise significant concern. The substantial attack surface, with 17 AJAX handlers and a concerning 7 of them lacking authentication checks, presents a direct pathway for potential unauthorized actions. This is further amplified by 7 flows identified with unsanitized paths, indicating a risk of path traversal or other file-related vulnerabilities, although the static analysis did not classify them as critical or high severity.

The plugin's vulnerability history reveals a pattern of significant past security issues, including missing authorization, path traversal, SSRF, and deserialization vulnerabilities. The fact that 4 high and 2 medium severity vulnerabilities have been documented in the past suggests a recurring tendency towards insecure coding practices, even though no critical or high severity issues are currently unpatched. This historical context, combined with the identified lack of authorization on a significant portion of its AJAX endpoints, points to a persistent risk of privilege escalation or unauthorized data access if not properly addressed.

In conclusion, while the plugin has made strides in securing its database interactions and output rendering, the large number of unprotected AJAX endpoints and the historical precedent of severe vulnerabilities necessitate a cautious approach. The identified unsanitized paths, while not currently critical, are a red flag given the plugin's history. Users should be aware of these potential weaknesses and ensure the plugin is kept updated with any future security patches, and ideally, the unprotected AJAX handlers should be secured.

Key Concerns

  • AJAX handlers without auth checks
  • Flows with unsanitized paths
  • High severity vulnerabilities in history (4)
  • Medium severity vulnerabilities in history (2)
  • Bundled library Select2
Vulnerabilities
7 published

Order Export & Order Import for WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
4
Medium
2
Low
1

7 total CVEs

CVE-2025-64382medium · 4.3Missing Authorization

Order Export & Order Import for WooCommerce <= 2.6.7 - Missing Authorization

Oct 30, 2025 Patched in 2.6.8 (19d)
CVE-2024-13920medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function

Mar 19, 2025 Patched in 2.6.1 (1d)
CVE-2024-13921high · 7.2Deserialization of Untrusted Data

Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter

Mar 19, 2025 Patched in 2.6.1 (1d)
CVE-2024-13922low · 2.7External Control of File Name or Path

Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

Mar 19, 2025 Patched in 2.6.1 (1d)
CVE-2024-13923high · 7.6Server-Side Request Forgery (SSRF)

Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function

Mar 19, 2025 Patched in 2.6.1 (1d)
CVE-2024-34751high · 7.2Deserialization of Untrusted Data

Order Export & Order Import for WooCommerce <= 2.4.9 - Authenticated (Administrator+) PHP Object Injection

May 14, 2024 Patched in 2.5.0 (7d)
CVE-2024-22135high · 7.2Unrestricted Upload of File with Dangerous Type

Order Export & Order Import for WooCommerce <= 2.4.3 - Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file

Jan 10, 2024 Patched in 2.4.4 (13d)
Version History

Order Export & Order Import for WooCommerce Release Timeline

v2.7.2Current
v2.7.1
v2.7.0
v2.6.9
v2.6.8
v2.6.71 CVE
CVE-2025-64382
v2.6.61 CVE
CVE-2025-64382
v2.6.51 CVE
CVE-2025-64382
v2.6.41 CVE
CVE-2025-64382
v2.6.31 CVE
CVE-2025-64382
v2.6.21 CVE
CVE-2025-64382
v2.6.11 CVE
CVE-2025-64382
v2.6.05 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.95 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.85 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.75 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.65 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.55 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.45 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
v2.5.35 CVEs
CVE-2025-64382 CVE-2024-13923 CVE-2024-13922 +2 more
Code Analysis
Analyzed Mar 16, 2026

Order Export & Order Import for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
117 prepared
Unescaped Output
70
1065 escaped
Nonce Checks
17
Capability Checks
7
File Operations
35
External Requests
3
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

92% prepared127 total queries

Output Escaping

94% escaped1135 total outputs
Data Flows · Security
7 unsanitized

Data Flow Analysis

15 flows7 with unsanitized paths
download_file (admin\modules\export\export.php:902)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Order Export & Order Import for WooCommerce Attack Surface

Entry Points17
Unprotected7

AJAX Handlers 17

authwp_ajax_wbte_ema_banner_analytics_page_dismissadmin\banner\class-wbte-ema-banner.php:45
authwp_ajax_wbte_sc_hide_promotion_banneradmin\banner\class-wt-bfcm-twenty-twenty-five.php:91
authwp_ajax_wt_p_iew_dismiss_cta_banner_default_pageadmin\banner\class-wt-p-iew-cta-banner-default-page.php:22
authwp_ajax_wt_oiew_top_header_loadedadmin\class-wt-import-export-for-woo-admin.php:78
authwp_ajax_wt_dismiss_product_ie_cta_banneradmin\cross-promotion-banners\class-wt-p-iew-cta-banner.php:32
authwp_ajax_wt_dismiss_invoice_cta_banneradmin\cross-promotion-banners\class-wt-pklist-cta-banner.php:31
authwp_ajax_wt_dismiss_smart_coupon_cta_banneradmin\cross-promotion-banners\class-wt-smart-coupon-cta-banner.php:30
authwp_ajax_iew_export_ajax_basicadmin\modules\export\export.php:109
authwp_ajax_iew_export_dismiss_adbanneradmin\modules\export\export.php:118
authwp_ajax_iew_history_ajax_basicadmin\modules\history\history.php:60
authwp_ajax_iew_import_ajax_basicadmin\modules\import\import.php:104
authwp_ajax_wt_iew_request_a_featureadmin\modules\request_feature\request_feature.php:27
authwp_ajax_wt_iew_dismiss_wc_pages_bannerclass-wt-order-review-request.php:108
authwp_ajax_wforderimpexp_submit_uninstall_reasonincludes\class-wf-orderimpexp-plugin-uninstall-feedback.php:15
authwp_ajax_wt_iew_save_settings_basicincludes\class-wt-import-export-for-woo.php:232
authwp_ajax_wt_iew_delete_templateincludes\class-wt-import-export-for-woo.php:233
authwp_ajax_wt_iew_ajax_coupon_searchincludes\class-wt-import-export-for-woo.php:234
WordPress Hooks 108
actionadmin_enqueue_scriptsadmin\banner\class-wbte-ema-banner.php:43
actionadmin_footeradmin\banner\class-wbte-ema-banner.php:44
actionadmin_initadmin\banner\class-wbte-ema-banner.php:180
actionadmin_enqueue_scriptsadmin\banner\class-wt-bfcm-twenty-twenty-five.php:80
actionadmin_noticesadmin\banner\class-wt-bfcm-twenty-twenty-five.php:83
actionadmin_head-edit.phpadmin\banner\class-wt-bfcm-twenty-twenty-five.php:88
actionadmin_footeradmin\banner\class-wt-p-iew-cta-banner-default-page.php:21
actionadmin_print_scriptsadmin\class-wt-import-export-for-woo-admin.php:79
actionadmin_enqueue_scriptsadmin\cross-promotion-banners\class-wt-p-iew-cta-banner.php:30
actionadd_meta_boxesadmin\cross-promotion-banners\class-wt-p-iew-cta-banner.php:31
actionadmin_enqueue_scriptsadmin\cross-promotion-banners\class-wt-pklist-cta-banner.php:29
actionadd_meta_boxesadmin\cross-promotion-banners\class-wt-pklist-cta-banner.php:30
actionadmin_enqueue_scriptsadmin\cross-promotion-banners\class-wt-smart-coupon-cta-banner.php:28
actionadd_meta_boxesadmin\cross-promotion-banners\class-wt-smart-coupon-cta-banner.php:29
filterwt_iew_exporter_post_types_basicadmin\modules\coupon\coupon.php:51
filterwt_iew_importer_post_types_basicadmin\modules\coupon\coupon.php:52
filterwt_iew_exporter_alter_mapping_fields_basicadmin\modules\coupon\coupon.php:54
filterwt_iew_importer_alter_mapping_fields_basicadmin\modules\coupon\coupon.php:55
filterwt_iew_exporter_alter_filter_fields_basicadmin\modules\coupon\coupon.php:57
filterwt_iew_importer_alter_advanced_fields_basicadmin\modules\coupon\coupon.php:59
filterwt_iew_exporter_alter_meta_mapping_fields_basicadmin\modules\coupon\coupon.php:61
filterwt_iew_importer_alter_meta_mapping_fields_basicadmin\modules\coupon\coupon.php:62
filterwt_iew_exporter_alter_mapping_enabled_fields_basicadmin\modules\coupon\coupon.php:64
filterwt_iew_importer_alter_mapping_enabled_fields_basicadmin\modules\coupon\coupon.php:65
filterwt_iew_exporter_do_export_basicadmin\modules\coupon\coupon.php:67
filterwt_iew_importer_do_import_basicadmin\modules\coupon\coupon.php:68
filterwt_iew_importer_steps_basicadmin\modules\coupon\coupon.php:70
actionadmin_footer-edit.phpadmin\modules\coupon\coupon.php:72
actionload-edit.phpadmin\modules\coupon\coupon.php:73
filterwt_iew_advanced_setting_fields_basicadmin\modules\export\export.php:103
filterwt_iew_admin_menu_basicadmin\modules\export\export.php:112
actionadmin_initadmin\modules\export\export.php:115
filterwt_iew_admin_menu_basicadmin\modules\history\history.php:54
filterwt_iew_advanced_setting_fields_basicadmin\modules\history\history.php:57
actionwt_iew_after_advanced_setting_update_basicadmin\modules\history\history.php:63
actionadmin_initadmin\modules\history\history.php:66
filterwt_iew_advanced_setting_fields_basicadmin\modules\import\import.php:98
filterwt_iew_admin_menu_basicadmin\modules\import\import.php:107
filtercomments_clausesadmin\modules\order\export\class-wt-orderimpexpcsv-basic-exporter.php:620
filtercomments_clausesadmin\modules\order\export\export.php:1026
filterwoocommerce_order_data_store_cpt_get_orders_queryadmin\modules\order\export\export.php:1177
actionwoocommerce_emailadmin\modules\order\import\import.php:1932
filterwoocommerce_email_enabled_customer_noteadmin\modules\order\import\import.php:2358
actionwoocommerce_emailadmin\modules\order\import\import.php:2581
actionwoocommerce_order_status_pending_to_processing_notificationadmin\modules\order\import\import.php:2728
actionwoocommerce_order_status_pending_to_completed_notificationadmin\modules\order\import\import.php:2729
actionwoocommerce_order_status_pending_to_on-hold_notificationadmin\modules\order\import\import.php:2730
actionwoocommerce_order_status_failed_to_processing_notificationadmin\modules\order\import\import.php:2731
actionwoocommerce_order_status_failed_to_completed_notificationadmin\modules\order\import\import.php:2732
actionwoocommerce_order_status_failed_to_on-hold_notificationadmin\modules\order\import\import.php:2733
actionwoocommerce_order_status_pending_to_processing_notificationadmin\modules\order\import\import.php:2736
actionwoocommerce_order_status_pending_to_on-hold_notificationadmin\modules\order\import\import.php:2737
actionwoocommerce_order_status_completed_notificationadmin\modules\order\import\import.php:2740
filterwt_iew_exporter_post_types_basicadmin\modules\order\order.php:54
filterwt_iew_importer_post_types_basicadmin\modules\order\order.php:55
filterwt_iew_exporter_alter_mapping_fields_basicadmin\modules\order\order.php:58
filterwt_iew_importer_alter_mapping_fields_basicadmin\modules\order\order.php:59
filterwt_iew_exporter_alter_filter_fields_basicadmin\modules\order\order.php:61
filterwt_iew_exporter_alter_advanced_fields_basicadmin\modules\order\order.php:63
filterwt_iew_importer_alter_advanced_fields_basicadmin\modules\order\order.php:64
filterwt_iew_exporter_alter_meta_mapping_fields_basicadmin\modules\order\order.php:66
filterwt_iew_importer_alter_meta_mapping_fields_basicadmin\modules\order\order.php:67
filterwt_iew_exporter_alter_mapping_enabled_fields_basicadmin\modules\order\order.php:69
filterwt_iew_importer_alter_mapping_enabled_fields_basicadmin\modules\order\order.php:70
filterwt_iew_exporter_do_export_basicadmin\modules\order\order.php:72
filterwt_iew_importer_do_import_basicadmin\modules\order\order.php:73
filterwt_iew_importer_steps_basicadmin\modules\order\order.php:75
filterbulk_actions-edit-shop_orderadmin\modules\order\order.php:83
actionadmin_footer-edit.phpadmin\modules\order\order.php:86
actionload-edit.phpadmin\modules\order\order.php:88
filterbulk_actions-woocommerce_page_wc-ordersadmin\modules\order\order.php:91
filterhandle_bulk_actions-woocommerce_page_wc-ordersadmin\modules\order\order.php:92
actionadmin_enqueue_scriptsadmin\modules\request_feature\request_feature.php:24
actionwt_iew_plugin_settings_after_wrapadmin\modules\request_feature\request_feature.php:25
actionadmin_footeradmin\modules\request_feature\request_feature.php:26
filterwp_kses_allowed_htmladmin\wt-ds\class-wbte-ds.php:115
actionadmin_enqueue_scriptsadmin\wt-ds\class-wbte-ds.php:118
actionadmin_noticesclass-wt-order-review-request.php:66
actioninitclass-wt-order-review-request.php:83
actionadmin_noticesclass-wt-order-review-request.php:101
actionadmin_print_footer_scriptsclass-wt-order-review-request.php:102
actionadmin_noticesclass-wt-order-review-request.php:107
actionadmin_initclass-wt-order-welcome-script.php:7
actionadmin_noticeshelpers\class-wt-common-helper.php:76
actionadmin_footerincludes\class-wf-orderimpexp-plugin-uninstall-feedback.php:14
actioninitincludes\class-wt-import-export-for-woo.php:219
actionadmin_menuincludes\class-wt-import-export-for-woo.php:243
actionadmin_enqueue_scriptsincludes\class-wt-import-export-for-woo.php:246
actionadmin_enqueue_scriptsincludes\class-wt-import-export-for-woo.php:247
actionexport_filtersincludes\class-wt-import-export-for-woo.php:249
actioninitincludes\class-wt-import-export-for-woo.php:252
filterwt_bfcm_banner_screensincludes\class-wt-import-export-for-woo.php:260
actionwp_enqueue_scriptsincludes\class-wt-import-export-for-woo.php:274
actionwp_enqueue_scriptsincludes\class-wt-import-export-for-woo.php:275
actionadmin_noticesincludes\class-wt-non-apache-info.php:31
actionadmin_print_footer_scriptsincludes\class-wt-non-apache-info.php:32
actionplugins_loadedorder-import-export-for-woocommerce.php:78
actionadmin_noticesorder-import-export-for-woocommerce.php:86
actioninitorder-import-export-for-woocommerce.php:155
actionadmin_print_footer_scriptsorder-import-export-for-woocommerce.php:186
actionin_plugin_update_message-order-import-export-for-woocommerce/order-import-export-for-woocommerce.phporder-import-export-for-woocommerce.php:190
actionwt_order_addon_basic_help_contentorder-import-export-for-woocommerce.php:223
actionwt_coupon_addon_basic_help_contentorder-import-export-for-woocommerce.php:240
actionwt_order_addon_basic_gopro_contentorder-import-export-for-woocommerce.php:257
filtermanage_posts_extra_tablenavorder-import-export-for-woocommerce.php:301
actionadmin_headorder-import-export-for-woocommerce.php:306
actionbefore_woocommerce_initorder-import-export-for-woocommerce.php:318
actionadmin_initorder-import-export-for-woocommerce.php:396
Maintenance & Trust

Order Export & Order Import for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version5.6
Downloads2.2M

Community Trust

Rating94/100
Number of ratings326
Active installs60K
Alternatives

Order Export & Order Import for WooCommerce Alternatives

No alternatives data available yet.

Developer Profile

Order Export & Order Import for WooCommerce Developer Profile

WebToffee

18 plugins · 377K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
152 days
View full developer profile
Detection Fingerprints

How We Detect Order Export & Order Import for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/order-import-export-for-woocommerce/assets/css/jquery.mCustomScrollbar.css/wp-content/plugins/order-import-export-for-woocommerce/assets/css/jquery.mCustomScrollbar.min.css/wp-content/plugins/order-import-export-for-woocommerce/assets/css/order-import-export-for-woocommerce-admin.css/wp-content/plugins/order-import-export-for-woocommerce/assets/css/order-import-export-for-woocommerce-backend.css/wp-content/plugins/order-import-export-for-woocommerce/assets/css/order-import-export-for-woocommerce-frontend.css/wp-content/plugins/order-import-export-for-woocommerce/assets/css/order-import-export-for-woocommerce.css/wp-content/plugins/order-import-export-for-woocommerce/assets/js/advanced-export-settings.js/wp-content/plugins/order-import-export-for-woocommerce/assets/js/advanced-import-settings.js+28 more
Script Paths
/wp-content/plugins/order-import-export-for-woocommerce/assets/js/order-import-export-for-woocommerce.js
Version Parameters
order-import-export-for-woocommerce/order-import-export-for-woocommerce.php?ver=order-import-export-for-woocommerce/assets/js/order-import-export-for-woocommerce.js?ver=

HTML / DOM Fingerprints

CSS Classes
wt_oiew_upgrade_noticewt-oiew-upgrade-noticewt-export-formwt-import-formwt_oiew_tab_navwt_oiew_tab_contentwt-admin-noticewt_oiew_upgrade_free_to_premium+7 more
HTML Comments
<!-- currently plugin version --><!-- the code that runs during plugin activation --><!-- checking wc is actived or not --><!-- the code that runs during plugin deactivation -->+5 more
Data Attributes
data-bs-targetdata-bs-toggledata-targetdata-toggledata-iddata-field+1 more
JS Globals
wt_oiew_admin_ajax_objectwt_oiew_objwt_order_import_export_admin_objwt_oiew_paramsWtOrderImportExportwt_woo_cart_product_obj
REST Endpoints
/wp-json/order-import-export-for-woocommerce/v1/import/wp-json/order-import-export-for-woocommerce/v1/export
FAQ

Frequently Asked Questions about Order Export & Order Import for WooCommerce