CVE-2024-13623

Name of the Vulnerable Software and Affected Versions Order Export for WooCommerce plugin for WordPress versions up to, and including, 3.24

Description The issue allows unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory, which can contain exported order information. This is possible when the Order data storage is set to WordPress posts storage (legacy), but not when the default option of High-performance order storage is enabled.

Recommendations For versions up to, and including, 3.24, consider changing the Order data storage setting from WordPress posts storage (legacy) to High-performance order storage to prevent exploitation. As a temporary workaround, restrict access to the /wp-content/uploads directory to minimize the risk of sensitive data exposure. Avoid using the WordPress posts storage (legacy) option for Order data storage until a patch is available.