SQL Injection Vulnerability in Advanced Order Export For WooCommerce Plugin by WordPress
CVE-2026-11360

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Order Export For WooCommerce
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-11360?

The Advanced Order Export For WooCommerce plugin for WordPress is susceptible to SQL Injection through the 'sort_direction' parameter in versions up to 4.0.10. This vulnerability arises from inadequate escaping of user-supplied input and insufficient preparation of the SQL query, allowing authenticated attackers with shop manager privileges or higher to inject malicious SQL code. Such actions can lead to unauthorized access to sensitive database information. The endpoint also relies on validated nonces and strips out magic quotes protection before processing, which heightens the risk as it allows harmful characters to persist within the SQL context.

Affected Version(s)

Advanced Order Export For WooCommerce 0 <= 4.0.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-order-expo...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Yaswanth Reddy Sunkara

CVE-2026-11360 Data

JSON