Platform
wordpress
Component
woo-bulk-editor
Fixed in
1.1.6
1.1.6
CVE-2026-1673 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to delete WooCommerce taxonomy terms, such as categories and tags, by tricking a site administrator or shop manager into performing a malicious action. The vulnerability impacts versions up to and including 1.1.5, and a patch is available in version 1.1.6.
The primary impact of CVE-2026-1673 is the unauthorized deletion of WooCommerce taxonomy terms. An attacker could leverage this vulnerability to disrupt a WordPress store's organization and functionality. By crafting a malicious link and enticing a privileged user (administrator or shop manager) to click it, the attacker can trigger the woobedeletetax_term() function without proper authentication. This could lead to the removal of critical categories or tags, potentially impacting product visibility and sales. While the vulnerability doesn't directly expose sensitive data, the disruption to store operations and potential for further exploitation (e.g., modifying product data after gaining access) should be considered a significant risk.
CVE-2026-1673 was disclosed on 2026-04-07. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it's prudent to assume that a public exploit could emerge, particularly if the plugin remains unpatched on many WordPress sites.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1673 is to immediately upgrade the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin to version 1.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the woobedeletetax_term() function that lack proper nonce validation. Additionally, educate administrators and shop managers about the risks of clicking on suspicious links and the importance of verifying the source of any requests they are prompted to authorize. After upgrading, confirm the fix by attempting to delete a taxonomy term via a crafted CSRF request; the action should be denied.
Update to version 1.1.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1673 is a Cross-Site Request Forgery (CSRF) vulnerability in the BEAR WooCommerce plugin for WordPress, allowing attackers to delete WooCommerce taxonomy terms.
You are affected if you are using BEAR WooCommerce Plugin versions 1.1.5 or earlier. Upgrade to 1.1.6 or later to mitigate the risk.
Upgrade the plugin to version 1.1.6 or later. As a temporary workaround, implement a WAF rule to block requests to woobedeletetax_term() without proper nonce validation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the Pluginus.Net website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-1673.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.