Plateforme
wordpress
Composant
woo-product-feed-pro
Corrigé dans
13.5.3
CVE-2026-32443 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Product Feed PRO for WooCommerce plugin. This vulnerability allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions of the plugin from 0.0.0 through 13.5.2, and a patch has been released in version 13.5.2.1.
A successful CSRF attack could allow an attacker to modify product feed settings, create or delete feeds, or perform other administrative actions as the logged-in user. This could lead to data manipulation, unauthorized access to sensitive information, or even complete control over the product feed configuration. The impact is amplified if the affected user has administrator privileges, potentially granting the attacker broader control over the WooCommerce store. While the vulnerability doesn't directly expose sensitive data, it can be leveraged to modify product listings and pricing, impacting sales and potentially damaging the store's reputation.
This vulnerability was publicly disclosed on 2026-03-13. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 6.5 (MEDIUM) indicates a moderate risk, suggesting that exploitation is possible but not highly probable without significant effort. It is not listed on the CISA KEV catalog at the time of writing.
WooCommerce store owners using the Product Feed PRO for WooCommerce plugin, particularly those running versions 0.0.0 through 13.5.2, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider may also be affected if updates have not been applied.
• wordpress / composer / npm:
grep -r 'woo-product-feed-pro' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Product Feed PRO for WooCommerce'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=product_feed_pro_action&... | grep -i 'csrf token'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 3%)
Vecteur CVSS
The primary mitigation for CVE-2026-32443 is to immediately update the Product Feed PRO for WooCommerce plugin to version 13.5.2.1 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user accounts have strong, unique passwords and enable two-factor authentication (2FA) where possible. Regularly review WooCommerce plugin settings for any suspicious changes.
Update to version 13.5.2.1, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-32443 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Product Feed PRO for WooCommerce, allowing attackers to perform unauthorized actions.
You are affected if you are using Product Feed PRO for WooCommerce versions 0.0.0 through 13.5.2. Check your plugin version immediately.
Upgrade to version 13.5.2.1 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
There are currently no known active exploitation campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the Josh Kohlbach website and the Product Feed PRO for WooCommerce plugin documentation for the official advisory.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.