CVE-2026-4140

Name of the Vulnerable Software and Affected Versions Ni WooCommerce Order Export versions prior to 3.1.7

Description An issue exists where missing nonce validation in the ni order export action() AJAX handler function allows unauthenticated attackers to modify plugin settings via a forged request. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni Order Setting::page ajax() which calls update option('ni order export option', $ REQUEST) without verifying a nonce or checking user capabilities. This can be exploited if a site administrator is tricked into performing an action, such as clicking a link.

Recommendations Update to a version later than 3.1.6.