CVE-2026-4140

The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the ni order export action() AJAX handler function. The handler processes settings updates when the 'page' parameter is set to 'nioe-order-settings', delegating to Ni Order Setting::page ajax() which calls update option('ni order export option', $ REQUEST) without verifying any nonce or checking user capabilities. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.