Advanced Product Fields (Product Addons) voor WooCommerce <= 1.6.17 - Cross-Site Request Forgery tot Product Field Group Duplicatie en Publicatie
Platform
wordpress
Component
advanced-product-fields-for-woocommerce
Opgelost in
1.6.18
A Cross-Site Request Forgery (XSRF) vulnerability exists in the Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress. This flaw, present in versions 1.0.0 through 1.6.17, allows unauthenticated attackers to duplicate and publish product field groups. The vulnerability stems from insufficient nonce validation within the 'maybe_duplicate' function, enabling malicious actions if an administrator is tricked into clicking a forged link. A patch is available in version 1.6.18.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-13924 allows an attacker to forge requests and duplicate product field groups within a WooCommerce store. This can lead to the creation of unauthorized product field configurations, potentially disrupting the product creation process or introducing unexpected behavior. An attacker could publish draft or pending field groups, potentially injecting malicious content or altering product behavior. While direct data theft isn't the primary impact, the ability to manipulate product configurations can have significant operational consequences for e-commerce businesses. The blast radius is limited to the affected WooCommerce store and its administrative users.
Uitbuitingscontextwordt vertaald…
This vulnerability was publicly disclosed on December 9, 2025. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 indicates a medium severity, suggesting a moderate likelihood of exploitation if a suitable PoC becomes available.
Wie Loopt Risicowordt vertaald…
E-commerce businesses utilizing the Advanced Product Fields (Product Addons) for WooCommerce plugin are at risk. Specifically, sites with multiple administrators or those where administrators frequently click on links from untrusted sources are more vulnerable. Shared hosting environments where plugin updates are not consistently applied are also at increased risk.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'maybe_duplicate' /var/www/html/wp-content/plugins/advanced-product-fields-for-woocommerce/• wordpress / composer / npm:
wp plugin list --status=active | grep 'Advanced Product Fields'• wordpress / composer / npm:
wp plugin update advanced-product-fields-for-woocommerce• wordpress / composer / npm:
wp plugin status advanced-product-fields-for-woocommerceAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 50KBekend
- Plugin-beoordeling
- 4.8
- Vereist WordPress
- 4.5+
- Compatibel tot
- 7.0
- Vereist PHP
- 7.0+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-13924 is to immediately upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and output encoding practices within your custom WooCommerce development. While a direct WAF rule is difficult to implement, monitor for unusual product field duplication requests. After upgrading, confirm the fix by attempting to duplicate a product field group as an unauthenticated user – the action should be denied.
Hoe te verhelpen
Update naar versie 1.6.18, of een nieuwere gepatchte versie
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-13924 — XSRF in Advanced Product Fields for WooCommerce?
CVE-2025-13924 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Advanced Product Fields plugin for WooCommerce, allowing attackers to duplicate product field groups via forged requests.
Am I affected by CVE-2025-13924 in Advanced Product Fields for WooCommerce?
You are affected if you are using Advanced Product Fields for WooCommerce versions 1.0.0 through 1.6.17. Upgrade to 1.6.18 to mitigate the risk.
How do I fix CVE-2025-13924 in Advanced Product Fields for WooCommerce?
Upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to version 1.6.18 or later. If immediate upgrade is not possible, implement stricter input validation and output encoding.
Is CVE-2025-13924 being actively exploited?
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13924, but vigilance is advised.
Where can I find the official Advanced Product Fields advisory for CVE-2025-13924?
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.