What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce Orders & Customers Exporter versions 5.4 and earlier contain a SQL injection vulnerability in the export functionality. An attacker with low-level user access can inject malicious SQL commands through export parameters, potentially reading sensitive customer and order data from the database. The vulnerability requires authentication but no user interaction.
What an attacker can do
03Attacker Capabilities
Read sensitive customer and order data from the database by injecting SQL commands into export requests.
Potential impact on your site
04Site Impact
Customer personal data, order details, and payment information may be exposed to authenticated attackers with minimal privileges.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the WordPress site.
Key dates
06Disclosure timeline
January 8, 2026
CVE published
April 28, 2026
Record updated