Scanner gratuitement
MEDIUMCVE-2025-13924CVSS 4.3

Advanced Product Fields (Product Addons) pour WooCommerce <= 1.6.17 - Cross-Site Request Forgery permettant la duplication et la publication de groupes de champs de produits

Plateforme

wordpress

Composant

advanced-product-fields-for-woocommerce

Corrigé dans

1.6.18

AI Confidence: highNVDEPSS 0.0%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

A Cross-Site Request Forgery (XSRF) vulnerability exists in the Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress. This flaw, present in versions 1.0.0 through 1.6.17, allows unauthenticated attackers to duplicate and publish product field groups. The vulnerability stems from insufficient nonce validation within the 'maybe_duplicate' function, enabling malicious actions if an administrator is tricked into clicking a forged link. A patch is available in version 1.6.18.

WordPress

Détecte cette CVE dans ton projet

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitement

Impact et Scénarios d'Attaquetraduction en cours…

Successful exploitation of CVE-2025-13924 allows an attacker to forge requests and duplicate product field groups within a WooCommerce store. This can lead to the creation of unauthorized product field configurations, potentially disrupting the product creation process or introducing unexpected behavior. An attacker could publish draft or pending field groups, potentially injecting malicious content or altering product behavior. While direct data theft isn't the primary impact, the ability to manipulate product configurations can have significant operational consequences for e-commerce businesses. The blast radius is limited to the affected WooCommerce store and its administrative users.

Contexte d'Exploitationtraduction en cours…

This vulnerability was publicly disclosed on December 9, 2025. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 indicates a medium severity, suggesting a moderate likelihood of exploitation if a suitable PoC becomes available.

Qui Est à Risquetraduction en cours…

E-commerce businesses utilizing the Advanced Product Fields (Product Addons) for WooCommerce plugin are at risk. Specifically, sites with multiple administrators or those where administrators frequently click on links from untrusted sources are more vulnerable. Shared hosting environments where plugin updates are not consistently applied are also at increased risk.

Étapes de Détectiontraduction en cours…

• wordpress / composer / npm:

grep -r 'maybe_duplicate' /var/www/html/wp-content/plugins/advanced-product-fields-for-woocommerce/

• wordpress / composer / npm:

wp plugin list --status=active | grep 'Advanced Product Fields'

• wordpress / composer / npm:

wp plugin update advanced-product-fields-for-woocommerce

• wordpress / composer / npm:

wp plugin status advanced-product-fields-for-woocommerce

Chronologie de l'Attaque

  1. Disclosure

    disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

0.02% (percentile 3%)

CISA SSVC

Exploitationnone
Automatisableno
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionRequiredSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityNoneRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityNoneRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Aucun — aucun impact sur la confidentialité.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantadvanced-product-fields-for-woocommerce
Fournisseurwordfence
Plage affectéeCorrigé dans
0 – 1.6.171.6.18

Informations sur le paquet

Installations actives
50KConnu
Note du plugin
4.8
Nécessite WordPress
4.5+
Compatible jusqu'à
7.0
Nécessite PHP
7.0+
Site web

Classification de Faiblesse (CWE)

CWE-352

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2025-13924 is to immediately upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding practices within your custom WooCommerce development. While a direct WAF rule is difficult to implement, monitor for unusual product field duplication requests. After upgrading, confirm the fix by attempting to duplicate a product field group as an unauthenticated user – the action should be denied.

Comment corriger

Mettre à jour vers la version 1.6.18, ou une version corrigée plus récente

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2025-13924 — XSRF in Advanced Product Fields for WooCommerce?

CVE-2025-13924 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Advanced Product Fields plugin for WooCommerce, allowing attackers to duplicate product field groups via forged requests.

Am I affected by CVE-2025-13924 in Advanced Product Fields for WooCommerce?

You are affected if you are using Advanced Product Fields for WooCommerce versions 1.0.0 through 1.6.17. Upgrade to 1.6.18 to mitigate the risk.

How do I fix CVE-2025-13924 in Advanced Product Fields for WooCommerce?

Upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If immediate upgrade is not possible, implement stricter input validation and output encoding.

Is CVE-2025-13924 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2025-13924, but vigilance is advised.

Where can I find the official Advanced Product Fields advisory for CVE-2025-13924?

Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE