プラットフォーム
wordpress
コンポーネント
woo-product-feed-pro
修正版
13.5.3
CVE-2026-3499 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Product Feed PRO for WooCommerce plugin developed by AdTribes. This flaw allows unauthenticated attackers to perform actions as an authenticated user, potentially leading to unauthorized modifications of feed configurations. The vulnerability impacts versions 13.4.6 through 13.5.2.1, and a patch is available in version 13.5.2.2.
An attacker exploiting this CSRF vulnerability could leverage it to manipulate various plugin functionalities without requiring authentication. Specifically, they can trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, and toggle legacy filters and rules. Successful exploitation could result in data corruption, altered feed configurations, and potentially compromise the integrity of product data displayed on external platforms. The impact is amplified if the WooCommerce store relies heavily on the plugin for managing product feeds and synchronizing data with external marketing channels.
CVE-2026-3499 was published on April 7, 2026. Currently, there are no publicly known active campaigns exploiting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-3499 is to immediately upgrade the Product Feed PRO for WooCommerce plugin to version 13.5.2.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules specifically targeting the vulnerable endpoints (ajaxmigratetocustomposttype, ajaxadtclearcustomattributesproductmetakeys, ajaxupdatefileurltolowercase, ajaxuselegacyfiltersandrules, and ajaxfixduplicatefeed). Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. After upgrading, confirm the fix by attempting to trigger the vulnerable actions via a crafted CSRF request; the request should be rejected.
バージョン 13.5.2.2、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3499 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Product Feed PRO for WooCommerce versions 13.4.6–13.5.2.1, allowing unauthorized actions via crafted requests.
You are affected if you are using Product Feed PRO for WooCommerce versions 13.4.6 through 13.5.2.1. Upgrade to 13.5.2.2 or later to mitigate the risk.
Upgrade the plugin to version 13.5.2.2 or later. As a temporary workaround, implement a WAF with CSRF protection rules targeting the vulnerable AJAX endpoints.
Currently, there are no publicly known active campaigns exploiting this vulnerability, but monitoring is recommended.
Refer to the AdTribes website and the WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-3499.
CVSS ベクトル
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。