Platform
wordpress
Component
woo-conditional-product-fees-for-checkout
Fixed in
4.3.4
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Dotstore Extra Fees Plugin for WooCommerce, potentially allowing attackers to execute unauthorized actions on behalf of authenticated users. This flaw impacts versions from 0.0 up to and including 4.3.3. The vulnerability has been resolved in version 4.3.4, and users are strongly advised to upgrade immediately.
This CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they did not intend. For example, an attacker could craft a malicious link that, when clicked by a user with administrative privileges, modifies plugin settings, creates fraudulent fees, or potentially compromises other WooCommerce functionalities. The blast radius extends to any user with access to the WooCommerce admin panel, as an attacker could leverage this vulnerability to escalate privileges and gain control over the e-commerce store. Successful exploitation could lead to financial losses, data breaches, and reputational damage.
This vulnerability was published on 2026-04-08. Currently, there are no publicly available Proof-of-Concept (POC) exploits. The EPSS score is pending evaluation, but given the ease of CSRF exploitation and the plugin's potential impact on e-commerce operations, it warrants careful attention. It is not currently listed on KEV. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.01% (3% percentile)
CVSS Vector
The primary mitigation is to upgrade the Extra Fees Plugin for WooCommerce to version 4.3.4 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include strict input validation on all user-supplied data, implementing CSRF tokens on all sensitive actions within the plugin's admin interface, and utilizing a Web Application Firewall (WAF) with CSRF protection rules. Monitor WooCommerce logs for suspicious activity, particularly requests originating from unfamiliar sources. After upgrading, confirm the fix by attempting to trigger a fee creation or modification via a crafted URL – it should be rejected.
Update to version 4.3.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39671 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Dotstore Extra Fees Plugin for WooCommerce, allowing attackers to perform unauthorized actions. It affects versions 0.0 through 4.3.3 and has a HIGH severity rating.
You are affected if you are using the Dotstore Extra Fees Plugin for WooCommerce version 0.0 to 4.3.3. Check your plugin version immediately using wp plugin list.
Upgrade the Extra Fees Plugin for WooCommerce to version 4.3.4 or later. If upgrading is not immediately possible, implement temporary workarounds like CSRF tokens and WAF rules.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-39671. However, due to the ease of CSRF exploitation, it's crucial to patch promptly.
Refer to the official Dotstore Extra Fees Plugin website or the WooCommerce plugin repository for the latest security advisory and update information regarding CVE-2026-39671.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.