CVE-2024-13923
Published: 20 March 2025
Summary
CVE-2024-13923 is a high-severity SSRF (CWE-918) vulnerability in Webtoffee Order Export \& Order Import For Woocommerce. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the SSRF vulnerability by requiring validation of inputs to the validate_file() function, preventing arbitrary server-side web requests to internal services.
Ensures timely identification, reporting, and patching of the specific flaw in the Order Export & Order Import for WooCommerce plugin up to version 2.6.0.
Monitors and controls communications at system boundaries to block or detect unauthorized outbound requests from the web server to internal resources exploited via SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly maps to T1190 for exploitation; enables internal reconnaissance of systems/services via arbitrary server requests.
NVD Description
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.0 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and…
more
above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Deeper analysisAI
CVE-2024-13923 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Order Export & Order Import for WooCommerce plugin for WordPress in all versions up to and including 2.6.0. The flaw resides in the validate_file() function, which fails to properly restrict requests, enabling unauthorized server-side interactions. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), reflecting high confidentiality impact with changed scope due to potential access to internal resources.
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability by leveraging the plugin's functionality to initiate web requests to arbitrary locations from the web application server. This allows them to query sensitive information from internal services or, in some cases, modify data, bypassing network restrictions and exposing backend systems to reconnaissance or limited manipulation.
Advisories from Wordfence detail the vulnerability and its exploitation vectors, while a patch is available in WordPress plugin trac changeset 3258567, addressing the issue in the class-import-ajax.php file around line 175. Security practitioners should update to a version beyond 2.6.0 and review access controls for admin users on affected WordPress installations.
Details
- CWE(s)