CVE-2025-22713 HIGH

CVE-2025-22713: WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - SQL Injection vulnerability

Vendor Vanquish
Product WooCommerce Orders & Customers Exporter
Weakness CWE-89 · SQLi
Published January 8, 2026
Last update April 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce Orders & Customers Exporter versions 5.4 and earlier contain a SQL injection vulnerability in the export functionality. An attacker with low-level user access can inject malicious SQL commands through export parameters, potentially reading sensitive customer and order data from the database. The vulnerability requires authentication but no user interaction.

What an attacker can do

03Attacker Capabilities

Read sensitive customer and order data from the database by injecting SQL commands into export requests.

Potential impact on your site

04Site Impact

Customer personal data, order details, and payment information may be exposed to authenticated attackers with minimal privileges.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the WordPress site.

Key dates

06Disclosure timeline

January 8, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE