Cross-Site Request Forgery Vulnerability in Ni WooCommerce Order Export Plugin by WordPress
CVE-2026-4140

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Ni WooCommerce Order Export
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4140?

The Ni WooCommerce Order Export plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) due to inadequate nonce validation within the ni_order_export_action() AJAX handler. This weakness allows unauthenticated attackers to exploit the plugin by sending forged requests that can manipulate settings without the knowledge of the site administrator. This vulnerability is present in all versions up to and including 3.1.6, posing a significant risk if an administrative user inadvertently initiates a malicious action.

Affected Version(s)

Ni WooCommerce Order Export 0 <= 3.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ni-woocommerce...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Muhammad Afnaan

CVE-2026-4140 Data

JSON