{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32443", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:35.694Z", "datePublished": "2026-03-13T11:42:20.167Z", "dateUpdated": "2026-04-29T09:51:59.562Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-product-feed-pro", "product": "Product Feed PRO for WooCommerce", "vendor": "Josh Kohlbach", "versions": [{"changes": [{"at": "13.5.2.1", "status": "unaffected"}], "lessThanOrEqual": "13.5.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:12.265Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.<p>This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.562Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-feed-pro/vulnerability/wordpress-product-feed-pro-for-woocommerce-plugin-13-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Product Feed PRO for WooCommerce plugin <= 13.5.2 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T15:37:29.408875Z", "id": "CVE-2026-32443", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:37:58.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32443", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T15:37:29.408875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:35:46.312Z"}}], "cna": {"title": "WordPress Product Feed PRO for WooCommerce plugin <= 13.5.2 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "affected": [{"vendor": "Josh Kohlbach", "product": "Product Feed PRO for WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "13.5.2.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 13.5.2"}], "packageName": "woo-product-feed-pro", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:17.667Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-feed-pro/vulnerability/wordpress-product-feed-pro-for-woocommerce-plugin-13-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.<p>This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:20.167Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32443", "state": "PUBLISHED", "dateUpdated": "2026-03-13T15:37:58.357Z", "dateReserved": "2026-03-12T11:11:35.694Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:20.167Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Josh Kohlbach Product Feed PRO para WooCommerce woo-product-feed-pro permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Product Feed PRO para WooCommerce: desde n/a hasta &lt;= 13.5.2."}], "id": "CVE-2026-32443", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:04.880", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-feed-pro/vulnerability/wordpress-product-feed-pro-for-woocommerce-plugin-13-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,13.5.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[13.5.2.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Feed PRO for WooCommerce", "source": "cna", "vendor": "Josh Kohlbach"}, "product": "product_feed_pro_for_woocommerce", "vendor": "josh_kohlbach"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:44:10.721949+00:00", "value": {"mitigation_remediation": ["Apply the latest update of Product Feed PRO for WooCommerce to a version newer than\u202f13.5.2.", "If immediate updating is impossible, temporarily disable the plugin or limit access to the WordPress administration area via IP whitelisting or two\u2011factor authentication.", "Deploy a web application firewall or security plugin that blocks CSRF requests to unknown or unauthenticated endpoints.", "Verify that the site\u2019s core WordPress installation and all other plugins are up to date."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery permitting unauthorized actions"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have Josh\u202fKohlbach Product Feed PRO for WooCommerce installed. The plugin versions impacted are those from the initial release through and including\u202f13.5.2. No other versions are listed as affected.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery (CSRF) flaw that allows an attacker to trick an authenticated user into sending authenticated requests to the WordPress site. From the vendor description, the flaw is present in Product Feed PRO for WooCommerce plugin versions up to 13.5.2. An attacker could cause the plugin to perform privileged actions such as changing feed settings, generating feed data or other administrative functions, thereby impacting the confidentiality, integrity, or availability of the site\u2019s e\u2011commerce data. The weakness corresponds to CWE\u2011352.", "risk_and_exploitability": "The vulnerability has a CVSS\u202fv3 score of\u202f6.5, indicating moderate severity. The EPSS score is less than\u202f1\u202f%, suggesting a low probability of widespread exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a web\u2011based client: a user who is logged into the WordPress admin area visits a malicious web page that automatically submits a forged request to the vulnerable plugin. No additional exploitation conditions are noted in the provided data."}}}}, "created": "2026-03-16T09:33:23.100693+00:00", "updated": "2026-03-23T12:03:21.825622+00:00", "vendors": ["josh_kohlbach", "josh_kohlbach$PRODUCT$product_feed_pro_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}