{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3499", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T20:15:06.618Z", "datePublished": "2026-04-08T01:24:44.495Z", "dateUpdated": "2026-04-08T18:00:45.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T01:24:44.495Z"}, "affected": [{"vendor": "jkohlbach", "product": "Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce", "versions": [{"version": "13.4.6", "status": "affected", "lessThanOrEqual": "13.5.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b645b88-85e0-4e89-bd95-444ab1db6df8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3476067/woo-product-feed-pro"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "lucky_buddy"}], "timeline": [{"time": "2026-03-04T18:10:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T12:49:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:00:05.527489Z", "id": "CVE-2026-3499", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:00:45.383Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2026-3499", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T02:16:04.237", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3476067/woo-product-feed-pro"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b645b88-85e0-4e89-bd95-444ab1db6df8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.4.6,13.5.2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce", "source": "cna", "vendor": "jkohlbach"}, "product": "product_feed_pro_for_woocommerce_by_adtribes_\u2013_product_feeds_for_woocommerce", "vendor": "jkohlbach"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T02:20:33.445333+00:00", "value": {"mitigation_remediation": ["Update the plugin to a version newer than 13.5.2.1 once a patched release is available."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthorized administrative actions"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Product Feed PRO for WooCommerce by AdTribes \u2013 Product Feeds for WooCommerce, specifically versions 13.4.6 through 13.5.2.1. No other products or vendors are directly implicated.", "description_and_impact": "The vulnerability stems from missing or incorrect nonce verification on several AJAX endpoints in the Product Feed PRO for WooCommerce plugin. This flaw permits an unauthenticated user to forge requests that trigger a range of administrative actions, including migrating feeds, clearing custom-attribute caches, rewriting feed file URLs to lowercase, toggling legacy filter and rule settings, and deleting duplicate feed posts. The resulting impact is the potential alteration or disruption of product feed data, misuse of administrative controls, and possibly broader site destabilization.", "risk_and_exploitability": "With a CVSS score of 8.8, the flaw is classified as high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The most likely attack vector is an unauthenticated attacker sending a forged request that tricks a site administrator into clicking a malicious link, thereby triggering the vulnerable AJAX calls. Given the exposure of sensitive administrative actions and the high CVSS rating, the risk of exploitation in affected environments is significant, especially where users are susceptible to phishing or social engineering."}}}}, "created": "2026-04-08T19:33:33.824332+00:00", "updated": "2026-04-08T19:44:11.798762+00:00", "vendors": ["jkohlbach", "jkohlbach$PRODUCT$product_feed_pro_for_woocommerce_by_adtribes_\u2013_product_feeds_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}