CVE-2024-13923: 
WordPress vulnerability analysis and mitigation

The Order Export & Order Import for WooCommerce plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in versions up to and including 2.6.0. The vulnerability exists in the validate_file() function, which allows authenticated attackers with Administrator-level access to make web requests to arbitrary locations originating from the web application. This can potentially be used to query and modify information from internal services (NVD CVE).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) according to NVD, while Wordfence assessed it with a higher score of 7.6 HIGH (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N) (NVD CVE).

The vulnerability allows authenticated attackers with administrator privileges to make web requests to arbitrary locations from the web application. This could potentially lead to unauthorized access to internal services and the ability to query and modify information within these services (NVD CVE).

The vulnerability has been patched in version 2.6.1 of the Order Export & Order Import for WooCommerce plugin. Users are advised to update to this version immediately. The update includes security fixes for SSRF, arbitrary file deletion, PHP object injection, and directory traversal vulnerabilities (WordPress Plugin).