What the vulnerability does
01Description
Missing Authorization vulnerability in WebToffee Order Export & Order Import for WooCommerce order-import-export-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Export & Order Import for WooCommerce: from n/a through <= 2.6.7.
Explanation of Vulnerability in Simple Terms
02Summary
The Order Export & Order Import for WooCommerce plugin through version 2.6.7 does not properly check user permissions before allowing access to export and import functionality. A logged-in user with low privileges can read order data they should not have access to. The vulnerability requires an active WordPress account but no special role or capability.
What an attacker can do
03Attacker Capabilities
Read order data belonging to other users or the site without proper authorization.
Potential impact on your site
04Site Impact
Customer order information may be exposed to unauthorized users who have basic site access.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or customer role).
Key dates
06Disclosure timeline
November 13, 2025
CVE published
April 28, 2026
Record updated