CVE-2026-11360 Overview
CVE-2026-11360 is a SQL Injection vulnerability [CWE-89] in the Advanced Order Export For WooCommerce plugin for WordPress. The flaw affects all versions up to and including 4.0.10. The vulnerability stems from insufficient escaping of the sort_direction parameter combined with inadequate preparation of the underlying SQL query. Authenticated attackers with shop manager-level access or above can append additional SQL clauses to existing queries. Successful exploitation allows extraction of sensitive data from the WordPress database, including user credentials, customer information, and order data.
Critical Impact
Authenticated shop managers can execute arbitrary SQL queries to exfiltrate sensitive data from the WordPress database via the sort_direction parameter.
Affected Products
- Advanced Order Export For WooCommerce plugin (woo-order-export-lite) versions through 4.0.10
- WordPress installations running the affected plugin with Shop Manager or higher roles enabled
- WooCommerce stores exposing the order export AJAX endpoint
Discovery Timeline
- 2026-06-18 - CVE-2026-11360 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-11360
Vulnerability Analysis
The vulnerability resides in the order export engine of the woo-order-export-lite plugin. The sort_direction parameter flows from user input into a SQL query that is concatenated rather than prepared. Because the plugin calls stripslashes_deep() on incoming request data, the WordPress wp_magic_quotes protection is removed before the value reaches the SQL context. Quote and backslash characters survive intact, enabling query manipulation. The affected code paths exist in class-wc-order-export-engine.php and the AJAX export trait, which handle order sorting and result assembly.
Root Cause
The root cause is a failure to apply parameterized queries or proper escaping to a sort-order value. The plugin assumes sort_direction will only contain ASC or DESC, but does not enforce that constraint with allowlisting or $wpdb->prepare(). Combined with the explicit removal of magic-quote slashes, the parameter is injected directly into the ORDER BY clause of the constructed SQL statement.
Attack Vector
Exploitation requires authentication at the Shop Manager level or higher, specifically the view_woocommerce_reports or export_woocommerce_orders capability. The attacker must also supply a valid woe_nonce token, which is accessible from the plugin's admin interface to authorized users. The attacker submits a crafted POST request to the order export AJAX endpoint with a malicious sort_direction value containing additional SQL syntax. The injected payload executes within the database query, returning data through the export response or via time-based inference techniques.
The vulnerability is described in prose only because no verified proof-of-concept code is publicly available. Technical details are documented in the Wordfence Vulnerability Report and the affected source files on the WordPress Plugin Repository.
Detection Methods for CVE-2026-11360
Indicators of Compromise
- POST requests to admin-ajax.php with the woe_nonce parameter and unusual sort_direction values containing SQL keywords such as UNION, SELECT, SLEEP, or comment sequences (--, /*).
- Unexpected order exports initiated by Shop Manager accounts outside of normal business hours.
- MySQL slow query log entries showing complex ORDER BY clauses originating from the WooCommerce export engine.
Detection Strategies
- Inspect WordPress access logs for AJAX requests containing the sort_direction parameter with non-alphabetic characters or excessive length.
- Correlate Shop Manager session activity with database query volume to identify anomalous export behavior.
- Deploy web application firewall rules that flag SQL metacharacters in WooCommerce export parameters.
Monitoring Recommendations
- Enable WordPress audit logging for all role assignments and capability changes, particularly Shop Manager grants.
- Monitor outbound responses from admin-ajax.php for abnormally large payloads that may indicate data exfiltration.
- Alert on repeated failed nonce validations followed by successful ones, which can indicate credential reuse or session theft.
How to Mitigate CVE-2026-11360
Immediate Actions Required
- Update the Advanced Order Export For WooCommerce plugin to a version newer than 4.0.10 once the patched release is published.
- Audit all WordPress accounts holding the view_woocommerce_reports or export_woocommerce_orders capability and remove unnecessary privileges.
- Rotate database credentials and WordPress secret keys if exploitation is suspected.
Patch Information
The vendor commit is tracked in the WordPress Plugin Changeset 3564108 for woo-order-export-lite. Administrators should apply the fixed version through the WordPress plugin updater. Confirmation of the patched release is available in the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the Advanced Order Export For WooCommerce plugin until the patch is applied.
- Restrict access to the WordPress admin interface using IP allowlisting at the web server or WAF layer.
- Enforce multi-factor authentication for all accounts holding Shop Manager or Administrator roles to reduce the risk of credential compromise.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
