Platform
wordpress
Component
advanced-product-fields-for-woocommerce
Fixed in
1.6.18
A Cross-Site Request Forgery (XSRF) vulnerability exists in the Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress. This flaw, present in versions 1.0.0 through 1.6.17, allows unauthenticated attackers to duplicate and publish product field groups. The vulnerability stems from insufficient nonce validation within the 'maybe_duplicate' function, enabling malicious actions if an administrator is tricked into clicking a forged link. A patch is available in version 1.6.18.
Successful exploitation of CVE-2025-13924 allows an attacker to forge requests and duplicate product field groups within a WooCommerce store. This can lead to the creation of unauthorized product field configurations, potentially disrupting the product creation process or introducing unexpected behavior. An attacker could publish draft or pending field groups, potentially injecting malicious content or altering product behavior. While direct data theft isn't the primary impact, the ability to manipulate product configurations can have significant operational consequences for e-commerce businesses. The blast radius is limited to the affected WooCommerce store and its administrative users.
This vulnerability was publicly disclosed on December 9, 2025. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 indicates a medium severity, suggesting a moderate likelihood of exploitation if a suitable PoC becomes available.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13924 is to immediately upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding practices within your custom WooCommerce development. While a direct WAF rule is difficult to implement, monitor for unusual product field duplication requests. After upgrading, confirm the fix by attempting to duplicate a product field group as an unauthenticated user – the action should be denied.
Update to version 1.6.18, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13924 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Advanced Product Fields plugin for WooCommerce, allowing attackers to duplicate product field groups via forged requests.
You are affected if you are using Advanced Product Fields for WooCommerce versions 1.0.0 through 1.6.17. Upgrade to 1.6.18 to mitigate the risk.
Upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If immediate upgrade is not possible, implement stricter input validation and output encoding.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13924, but vigilance is advised.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.