CVE-2025-13924
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress, affecting all versions up to and including 1.6.17. It occurs because of missing or incorrect nonce validation on the 'maybe_duplicate' function. This allows an unauthenticated attacker to trick a site administrator into performing actions such as duplicating and publishing product field groups, including drafts and pending groups, via a forged request.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to cause an administrator to unknowingly duplicate and publish product field groups on a WooCommerce site. This could lead to unauthorized changes in product configurations, potentially disrupting the site's product management and causing confusion or operational issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Advanced Product Fields (Product Addons) for WooCommerce plugin to a version later than 1.6.17 where the nonce validation issue is fixed. Additionally, avoid clicking on suspicious links and ensure that only trusted administrators have access to the WordPress admin area to prevent exploitation via forged requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check if the Advanced Product Fields (Product Addons) for WooCommerce plugin version is 1.6.17 or earlier, as these versions lack nonce validation for the 'maybe_duplicate' function. Specifically, look for HTTP requests that invoke the duplication of product field groups without proper nonce parameters, such as requests to the 'wapf_duplicate' action missing the '_dupenonce' GET parameter. You can use web server logs or network monitoring tools to search for such suspicious requests. For example, using grep on your web server access logs to find requests related to duplication actions without nonce: `grep 'wapf_duplicate' /path/to/access.log | grep -v '_dupenonce='`. Additionally, monitoring for unexpected POST or GET requests that trigger duplication actions from unauthenticated sources can help identify exploitation attempts. There are no specific commands provided in the resources, but inspecting plugin version and monitoring for missing nonce parameters in duplication requests is recommended. [1]