CVE-2024-13920
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to perform directory traversal attacks via the Order Export & Order Import for WooCommerce plugin. Attackers can read arbitrary log files on the server, potentially exposing sensitive information. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Order Export & Order Import for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator credentials are compromised, allowing attackers to read sensitive server logs containing database credentials, API keys, or other confidential data, leading to full site compromise.
Likely Case
Attackers with administrator access read log files containing user information, order details, or debugging data that could be used for further attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized log file access by already-privileged users.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is in the download_file() function which doesn't properly validate file paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.1
Vendor Advisory: https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Order Export & Order Import for WooCommerce'. 4. Click 'Update Now' if available, or download version 2.6.1+ from WordPress repository. 5. Deactivate and delete old version if manual update required.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate order-import-export-for-woocommerce
Restrict administrator access
allReview and limit administrator accounts to trusted users only
🧯 If You Can't Patch
- Implement strict file permission controls on log directories
- Monitor administrator account activity and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.6.0 or lower, you are vulnerable.Check Version:
wp plugin get order-import-export-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 2.6.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs, especially requests to download_file with path traversal sequences (../)
Network Indicators:
- HTTP requests to admin-ajax.php or admin-post.php with file download parameters containing path traversal
SIEM Query:
source="web_access" AND (uri="*admin-ajax.php*" OR uri="*admin-post.php*") AND (params="*download_file*" AND params="*../*")🔗 References
- https://plugins.trac.wordpress.org/browser/order-import-export-for-woocommerce/trunk/admin/modules/history/history.php#L751
- https://plugins.trac.wordpress.org/changeset/3258567/
- https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dba84eb3-f48a-4175-a652-7c11b12c9afc?source=cve
