CVE-2024-13922: 
WordPress vulnerability analysis and mitigation

The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 2.6.0. The vulnerability exists due to insufficient file path validation in the adminlogpage() function, which allows authenticated attackers with Administrator-level access to delete arbitrary log files on the server (NVD).

The vulnerability stems from insufficient file path validation in the adminlogpage() function. The issue is tracked as CWE-73 (External Control of File Name or Path). The CVSS v3.1 scores vary between sources: NVD rates it as 6.5 MEDIUM (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) while Wordfence rates it as 2.7 LOW (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) (NVD).

When exploited, this vulnerability allows authenticated attackers with Administrator-level privileges to delete arbitrary log files on the server. This could potentially lead to loss of important logging information and affect the system's audit capabilities (NVD).

The vulnerability has been patched in version 2.6.1 of the Order Export & Order Import for WooCommerce plugin. Users are advised to update to this version or later to protect against this vulnerability (Plugin Changelog).