Home

Description

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PUBLISHED Reserved 2026-03-03 | Published 2026-04-08 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status
unaffected

13.4.6 (semver)
affected

Timeline

2026-03-04:Vendor Notified
2026-04-07:Disclosed

Credits

lucky_buddy finder

References

www.wordfence.com/...-85e0-4e89-bd95-444ab1db6df8?source=cve

plugins.trac.wordpress.org/...t/3476067/woo-product-feed-pro

cve.org (CVE-2026-3499)

nvd.nist.gov (CVE-2026-3499)

Download JSON