[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7OSk2MWVCww6vN9J-dhgnxNQ43bj4Z5L3feCmIkPG7I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4140","ni-woocommerce-order-export-cross-site-request-forgery-to-settings-update-via-niorderexportaction-ajax-action","Ni WooCommerce Order Export \u003C= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action","The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni_order_export_action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni_Order_Setting::page_ajax() which calls update_option('ni_order_export_option', $_REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","ni-woocommerce-order-export",null,"\u003C=3.1.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-21 19:05:33","2026-04-22 07:45:33",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2d62c49c-3a33-4865-abcc-22d8e38ac198?source=api-prod",[],"researched",false,3,"This research plan outlines the process for exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the Ni WooCommerce Order Export plugin.\n\n## 1. Vulnerability Summary\nThe **Ni WooCommerce Order Export** plugin (up to version 3.1.6) fails to implement nonce verification and capability checks in its AJAX handler for the `ni_order_export_action` action. Specifically, when the `page` parameter is set to `nioe-order-settings`, the code delegates processing to `Ni_Order_Setting::page_ajax()`. This function takes the entire `$_REQUEST` array and saves it directly into the WordPress database using `update_option('ni_order_export_option', ...)`.\n\nBecause there is no verification that the request was intentionally sent by an administrator, an attacker can trick a logged-in admin into submitting a request that overwrites the plugin's configuration.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `ni_order_export_action`\n- **Vulnerable Parameter:** `page` (must be `nioe-order-settings`)\n- **Payload Parameters:** Any key-value pairs sent in the request (e.g., via POST or GET) will be written to the `ni_order_export_option` option.\n- **Authentication Level:** The attacker is unauthenticated but requires an **Authenticated Administrator** to execute the request (via CSRF).\n- **Preconditions:**\n    - The Ni WooCommerce Order Export plugin is active.\n    - WooCommerce is active (as it is a dependency).\n\n## 3. Code Flow (Inferred from Patch\u002FDescription)\n1.  **Registration:** The plugin registers the AJAX hook:\n    `add_action('wp_ajax_ni_order_export_action', 'ni_order_export_action');`\n2.  **Entry Point:** `ni_order_export_action()` is executed when the AJAX request is received.\n3.  **Branching Logic:** The function checks `$_REQUEST['page']`.\n4.  **Vulnerable Branch:** If `$_REQUEST['page'] === 'nioe-order-settings'`, it calls `Ni_Order_Setting::page_ajax()`.\n5.  **The Sink:** Inside `page_ajax()`, the code executes:\n    `update_option('ni_order_export_option', $_REQUEST);`\n6.  **Failure:** No `check_ajax_referer()` or `current_user_can('manage_options')` is called before the `update_option` sink.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this specific AJAX handler **missing nonce validation entirely**. Therefore, **no nonce is required** to successfully exploit the vulnerability.\n\nIf a nonce were required, it would typically be found in the admin dashboard under the \"Order Export\" settings page, likely localized under a JS object. However, for this CVE, the strategy is to bypass the nonce check by simply omitting it or providing any value, as it is not verified in the affected versions.\n\n## 5. Exploitation Strategy\nThe goal is to modify the plugin's export settings (e.g., the default filename for exports) to demonstrate unauthorized data modification.\n\n### Step-by-Step Plan:\n1.  **Identify Target Option Content:** First, check the existing value of `ni_order_export_option` to understand the expected array structure.\n2.  **Construct Payload:** Create a POST request targeting `admin-ajax.php`.\n3.  **Simulate CSRF:** Use the `http_request` tool with the Administrator's cookies to execute the state-changing request.\n\n### HTTP Request (CSRF Simulation):\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:**\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=ni_order_export_action&page=nioe-order-settings&ni_filename=vulnerable_poc_export&ni_common_settings[buttons]=pwned\n  ```\n\n*Note: Since the plugin saves the entire `$_REQUEST` array, the keys used depend on what the plugin's settings form expects. The keys `ni_filename` or `ni_common_settings` are common identifiers for this plugin.*\n\n## 6. Test Data Setup\n1.  **Install\u002FActivate Plugin:** Ensure `ni-woocommerce-order-export` and `woocommerce` are installed and active.\n2.  **Initial Configuration:** Navigate to the plugin settings once as an admin to ensure the default options are initialized in the database.\n3.  **Identify Admin Session:** The agent should already have access to the administrator session via the environment.\n\n## 7. Expected Results\n- The server should return a successful response (often `0` or `1` for WordPress AJAX, or a JSON success message).\n- The WordPress option `ni_order_export_option` will be updated with the malicious values provided in the request.\n\n## 8. Verification Steps\nAfter performing the `http_request`, verify the change using WP-CLI:\n\n```bash\n# Check the value of the affected option\nwp option get ni_order_export_option --format=json\n```\n\n**Successful Exploit Criteria:**\n- The output contains `\"ni_filename\": \"vulnerable_poc_export\"`.\n- The output contains the `action` and `page` keys (side effect of the plugin saving the entire `$_REQUEST` array).\n\n## 9. Alternative Approaches\nIf the plugin performs basic validation on the array structure:\n1.  **Form Extraction:** Use `browser_navigate` to the plugin's settings page and use `browser_eval` to extract the exact names of the input fields:\n    `browser_eval(\"Array.from(document.querySelectorAll('input[name]')).map(i => i.name)\")`\n2.  **Refined Payload:** Re-run the `http_request` using the exact keys found in the real settings form to ensure the `update_option` call doesn't fail due to data type mismatches.","The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.1.6. The plugin fails to implement nonce validation and capability checks in its 'ni_order_export_action' AJAX handler, specifically when processing settings updates. This allows an attacker to overwrite the plugin's configuration options by tricking a logged-in administrator into clicking a link or visiting a malicious page.","\u002F\u002F File: ni-woocommerce-order-export.php\nadd_action('wp_ajax_ni_order_export_action', 'ni_order_export_action');\n\nfunction ni_order_export_action() {\n    if (isset($_REQUEST['page']) && $_REQUEST['page'] === 'nioe-order-settings') {\n        Ni_Order_Setting::page_ajax();\n    }\n}\n\n---\n\n\u002F\u002F File: includes\u002Fclass-ni-order-setting.php\nclass Ni_Order_Setting {\n    public static function page_ajax() {\n        \u002F\u002F Vulnerable: No nonce check or capability check before updating options\n        update_option('ni_order_export_option', $_REQUEST);\n        wp_die();\n    }\n}","--- a\u002Fincludes\u002Fclass-ni-order-setting.php\n+++ b\u002Fincludes\u002Fclass-ni-order-setting.php\n@@ -1,5 +1,8 @@\n public static function page_ajax() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+    check_ajax_referer( 'ni_order_export_nonce', 'security' );\n     update_option('ni_order_export_option', $_REQUEST);\n     wp_die();\n }","The attacker targets the 'ni_order_export_action' AJAX action via the \u002Fwp-admin\u002Fadmin-ajax.php endpoint. By setting the 'page' parameter to 'nioe-order-settings', the plugin delegates the request to a function that saves the entire contents of $_REQUEST into the 'ni_order_export_option' database option. An attacker can craft a payload containing arbitrary configuration values (e.g., 'ni_filename=pwned') and trick an authenticated administrator into submitting it using a CSRF attack (such as a hidden auto-submitting HTML form on a malicious website), resulting in unauthorized modification of the plugin's export settings.","gemini-3-flash-preview","2026-04-27 14:03:29","2026-04-27 14:03:47",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fni-woocommerce-order-export\u002Ftags"]