WooCommerce Plugin Vulnerable to CSRF Attacks
CVE Notify is flagging a critical Cross-Site Request Forgery (CSRF) vulnerability in the Product Feed PRO for WooCommerce by AdTribes plugin. The flaw impacts versions 13.4.6 through 13.5.2.1. According to CVE Notify, this weakness stems from insufficient nonce validation within several AJAX functions. These functions handle crucial operations like feed migration, clearing attribute caches, updating feed URLs, and managing legacy filter settings.
Attackers can exploit this by tricking an administrator into clicking a malicious link or performing a seemingly innocuous action. This could allow them to trigger feed migrations, manipulate cached data, or even delete duplicated feed posts without proper authentication. The exploit hinges on the administrative user performing the action, making it a classic CSRF scenario where user context is hijacked to perform unauthorized actions.
What This Means For You
- Given the CSRF nature of this vulnerability, immediately review and update the Product Feed PRO for WooCommerce plugin to a patched version. For sites unable to update immediately, consider implementing a Web Application Firewall (WAF) with robust CSRF protection rules to mitigate the risk of attackers tricking administrators into performing malicious actions.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3499 | CSRF | Product Feed PRO for WooCommerce by AdTribes โ Product Feeds for WooCommerce plugin for WordPress versions 13.4.6 through 13.5.2.1. Vulnerable functions: ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, ajax_fix_duplicate_feed |
๐ Recommended Tools
Found this interesting? Follow us to stay ahead.