Plateforme
wordpress
Composant
woo-product-feed-pro
Corrigé dans
13.5.3
CVE-2026-3499 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Product Feed PRO for WooCommerce plugin developed by AdTribes. This flaw allows unauthenticated attackers to perform actions as an authenticated user, potentially leading to unauthorized modifications of feed configurations. The vulnerability impacts versions 13.4.6 through 13.5.2.1, and a patch is available in version 13.5.2.2.
An attacker exploiting this CSRF vulnerability could leverage it to manipulate various plugin functionalities without requiring authentication. Specifically, they can trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, and toggle legacy filters and rules. Successful exploitation could result in data corruption, altered feed configurations, and potentially compromise the integrity of product data displayed on external platforms. The impact is amplified if the WooCommerce store relies heavily on the plugin for managing product feeds and synchronizing data with external marketing channels.
CVE-2026-3499 was published on April 7, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3499 is to immediately upgrade the Product Feed PRO for WooCommerce plugin to version 13.5.2.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules specifically targeting the vulnerable endpoints (ajaxmigratetocustomposttype, ajaxadtclearcustomattributesproductmetakeys, ajaxupdatefileurltolowercase, ajaxuselegacyfiltersandrules, and ajaxfixduplicatefeed). Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. After upgrading, confirm the fix by attempting to trigger the vulnerable actions via a crafted CSRF request; the request should be rejected.
Mettre à jour vers la version 13.5.2.2, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3499 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Product Feed PRO for WooCommerce versions 13.4.6–13.5.2.1, allowing unauthorized actions via crafted requests.
You are affected if you are using Product Feed PRO for WooCommerce versions 13.4.6 through 13.5.2.1. Upgrade to 13.5.2.2 or later to mitigate the risk.
Upgrade the plugin to version 13.5.2.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules targeting the vulnerable AJAX endpoints.
Currently, there are no publicly known active campaigns exploiting this vulnerability, but monitoring is recommended.
Refer to the AdTribes website and the WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-3499.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.