Platform
wordpress
Component
woo-bulk-editor
Fixed in
1.1.6
1.1.6
CVE-2026-1672 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to manipulate WooCommerce product data, such as prices and descriptions, by tricking administrators or shop managers into performing actions. The vulnerability impacts versions of the plugin up to and including 1.1.5, and a fix is available in version 1.1.6.
An attacker exploiting this CSRF vulnerability could significantly compromise a WooCommerce store. They could modify product prices to be excessively high or low, alter product descriptions to be misleading or malicious, and potentially even manipulate other product attributes. Successful exploitation could lead to financial losses for the store owner, damage to their reputation, and a negative user experience. The attack relies on social engineering to lure a privileged user (administrator or shop manager) into clicking a malicious link, making it a persistent threat even with security measures in place.
This vulnerability was publicly disclosed on 2026-04-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The lack of public exploits does not diminish the risk, as CSRF vulnerabilities are often exploited through targeted phishing campaigns.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1672 is to immediately upgrade the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin to version 1.1.6 or later. If upgrading is not immediately feasible, consider implementing stricter access controls and user awareness training to minimize the risk of social engineering attacks. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Regularly review WordPress plugin permissions and ensure only necessary plugins are installed.
Update to version 1.1.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1672 is a Cross-Site Request Forgery (CSRF) vulnerability in the BEAR WooCommerce plugin for WordPress, affecting versions up to 1.1.5. It allows attackers to manipulate product data via forged requests.
You are affected if you are using the BEAR WooCommerce plugin version 1.1.5 or earlier. Check your plugin version and upgrade immediately.
Upgrade the BEAR WooCommerce plugin to version 1.1.6 or later. This resolves the missing nonce validation issue.
There are currently no known public exploits or active campaigns targeting this vulnerability, but it remains a risk due to the nature of CSRF attacks.
Refer to the Pluginus.Net website and WordPress plugin repository for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.