{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1673", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-30T01:19:54.849Z", "datePublished": "2026-04-08T11:16:57.236Z", "dateUpdated": "2026-04-08T16:40:46.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:46.856Z"}, "affected": [{"vendor": "realmag777", "product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link."}], "title": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474"}, {"url": "https://plugins.trac.wordpress.org/changeset/3457263/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465138/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-01-30T01:36:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:02:09.168870Z", "id": "CVE-2026-1673", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:02:24.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:02:09.168870Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:02:14.063Z"}}], "cna": {"title": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "realmag777", "product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T01:36:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474"}, {"url": "https://plugins.trac.wordpress.org/changeset/3457263/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465138/"}], "descriptions": [{"lang": "en", "value": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T11:16:57.236Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1673", "state": "PUBLISHED", "dateUpdated": "2026-04-08T13:02:24.721Z", "dateReserved": "2026-01-30T01:19:54.849Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T11:16:57.236Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link."}], "id": "CVE-2026-1673", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T12:16:20.280", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3457263/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3465138/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net", "source": "cna", "vendor": "realmag777"}, "product": "bear_\u2013_bulk_editor_and_products_manager_professional_for_woocommerce_by_pluginus.net", "vendor": "realmag777"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T12:51:10.367693+00:00", "value": {"mitigation_remediation": ["Update the BEAR plugin to version 1.1.6 or later, which restores nonce validation in the delete taxonomy function."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery enabling deletion of WooCommerce taxonomy terms"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin up to and including version 1.1.5. Users who are running WordPress sites with WooCommerce and who rely on this plugin for taxonomy management are at risk. The issue is limited to functionality that allows taxonomy deletion and does not impact other plugin features or core WordPress components.", "description_and_impact": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin contains a Cross\u2011Site Request Forgery (CSRF) flaw caused by missing nonce validation in the woobe_delete_tax_term() function. As a result, an unauthenticated attacker can delete WooCommerce taxonomy terms\u2014such as categories, tags, and other taxonomies\u2014when an administrator or shop manager follows a forged request. The description does not mention any privilege escalation or data exfiltration; therefore, based on the information given, it is inferred that the vulnerability does not enable attackers to obtain broader authentication or retrieve sensitive data. The primary impact is on the integrity and availability of the site\u2019s product classification data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying that exploitation may not yet be widespread. The likely attack vector involves social engineering, where an attacker sends a malicious link or prompt to a site administrator or shop manager, causing them to execute the forged request while authenticated. Because the flaw only permits deletion of taxonomy terms and does not grant further administrative privileges, the overall risk is constrained to the taxonomy data set rather than full site control."}}}}, "created": "2026-04-08T19:27:13.896056+00:00", "updated": "2026-04-08T19:39:50.874624+00:00", "vendors": ["realmag777", "realmag777$PRODUCT$bear_\u2013_bulk_editor_and_products_manager_professional_for_woocommerce_by_pluginus.net", "wordpress", "wordpress$PRODUCT$wordpress"]}