Platform
wordpress
Component
woo-product-feed-pro
Fixed in
13.5.3
CVE-2026-3499 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Product Feed PRO for WooCommerce plugin developed by AdTribes. This flaw allows unauthenticated attackers to perform actions as an authenticated user, potentially leading to unauthorized modifications of feed configurations. The vulnerability impacts versions 13.4.6 through 13.5.2.1, and a patch is available in version 13.5.2.2.
An attacker exploiting this CSRF vulnerability could leverage it to manipulate various plugin functionalities without requiring authentication. Specifically, they can trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, and toggle legacy filters and rules. Successful exploitation could result in data corruption, altered feed configurations, and potentially compromise the integrity of product data displayed on external platforms. The impact is amplified if the WooCommerce store relies heavily on the plugin for managing product feeds and synchronizing data with external marketing channels.
CVE-2026-3499 was published on April 7, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3499 is to immediately upgrade the Product Feed PRO for WooCommerce plugin to version 13.5.2.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules specifically targeting the vulnerable endpoints (ajaxmigratetocustomposttype, ajaxadtclearcustomattributesproductmetakeys, ajaxupdatefileurltolowercase, ajaxuselegacyfiltersandrules, and ajaxfixduplicatefeed). Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. After upgrading, confirm the fix by attempting to trigger the vulnerable actions via a crafted CSRF request; the request should be rejected.
Update to version 13.5.2.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3499 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Product Feed PRO for WooCommerce versions 13.4.6–13.5.2.1, allowing unauthorized actions via crafted requests.
You are affected if you are using Product Feed PRO for WooCommerce versions 13.4.6 through 13.5.2.1. Upgrade to 13.5.2.2 or later to mitigate the risk.
Upgrade the plugin to version 13.5.2.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules targeting the vulnerable AJAX endpoints.
Currently, there are no publicly known active campaigns exploiting this vulnerability, but monitoring is recommended.
Refer to the AdTribes website and the WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-3499.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.