CVE-2024-13921
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to inject PHP objects via deserialization of untrusted input in the Order Export & Order Import for WooCommerce plugin. The vulnerability only becomes dangerous when combined with another plugin or theme containing a POP chain, which could enable file deletion, data theft, or code execution. Only WordPress sites using this specific plugin are affected.
💻 Affected Systems
- Order Export & Order Import for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could achieve remote code execution, delete arbitrary files, or exfiltrate sensitive data from the WordPress installation.
Likely Case
Most installations will see no impact since no POP chain exists in the vulnerable plugin itself, requiring a specific combination of vulnerable components for exploitation.
If Mitigated
With proper access controls limiting administrator accounts and regular plugin updates, the risk is minimal as the vulnerability requires admin privileges and specific plugin combinations.
🎯 Exploit Status
Exploitation requires administrator credentials and depends on finding/creating a suitable POP chain from other installed components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.6.1 or later
Vendor Advisory: https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Order Export & Order Import for WooCommerce'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Remove vulnerable plugin
WordPressTemporarily disable or remove the plugin until patched
wp plugin deactivate order-import-export-for-woocommerce
wp plugin delete order-import-export-for-woocommerce
🧯 If You Can't Patch
- Restrict administrator accounts to only trusted personnel
- Audit and remove unnecessary plugins/themes that could provide POP chains
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get order-import-export-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 2.6.1 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'form_data' parameter
- Multiple failed authentication attempts followed by successful admin login
Network Indicators:
- HTTP requests containing serialized PHP objects in POST data
- Unusual outbound connections from WordPress server after admin actions
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "form_data" AND ("O:" OR "C:" OR "a:" in request_body)🔗 References
- https://plugins.trac.wordpress.org/browser/order-import-export-for-woocommerce/trunk/admin/modules/export/classes/class-export-ajax.php
- https://plugins.trac.wordpress.org/browser/order-import-export-for-woocommerce/trunk/admin/modules/import/classes/class-import-ajax.php
- https://plugins.trac.wordpress.org/changeset/3258567/
- https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fcfa21-b3f7-4241-a931-9708ced4f811?source=cve
