CVE-2026-32443
Cross-Site Request Forgery in WooCommerce Product Feed PRO
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rymera_web_co | product_feed_pro_for_woocommerce | From 13.0.0 (inc) to 13.5.2 (inc) |
| josh_kohlbach | product_feed_pro_for_woocommerce | to 13.5.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32443 is a Cross Site Request Forgery (CSRF) vulnerability found in the WordPress Product Feed PRO for WooCommerce plugin versions up to and including 13.5.2.
This vulnerability allows a malicious actor to trick higher privileged users into executing unwanted actions while they are authenticated. This can happen if the user clicks a malicious link, visits a crafted page, or submits a malicious form.
Exploitation requires user interaction and the involvement of a privileged user. The vulnerability is classified under OWASP Top 10 A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your WooCommerce product feed plugin by an attacker, but only if a privileged user is tricked into interacting with malicious content.
While the vulnerability does not directly compromise confidentiality or availability, it can impact the integrity of your product feed data by allowing unauthorized modifications.
The CVSS score of 6.5 indicates moderate severity, but the exploitation complexity and requirement for user interaction reduce the overall risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects the Product Feed PRO for WooCommerce plugin versions up to and including 13.5.2. Detection involves identifying if this vulnerable plugin version is installed on your WordPress system.'}, {'type': 'paragraph', 'content': 'You can check the installed plugin version by running commands on your server or through the WordPress admin interface.'}, {'type': 'list_item', 'content': 'Using WP-CLI, run: wp plugin list | grep woo-product-feed-pro'}, {'type': 'list_item', 'content': 'Check the plugin version displayed and verify if it is less than or equal to 13.5.2.'}, {'type': 'list_item', 'content': "Alternatively, inspect the plugin's main file header or version.php file in the plugin directory."}, {'type': 'paragraph', 'content': 'There are no specific network commands or signatures mentioned for detecting exploitation attempts of this CSRF vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the Product Feed PRO for WooCommerce plugin to version 13.5.2.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "If immediate updating is not possible, consider restricting access to the plugin's administrative functions to trusted users only, to reduce the risk of CSRF exploitation."}, {'type': 'paragraph', 'content': 'Additionally, enabling security measures such as CSRF tokens, user interaction verification, and limiting user privileges can help mitigate the risk.'}, {'type': 'paragraph', 'content': "Using Patchstack's mitigation support or auto-update features for vulnerable plugins can also help maintain security."}] [1]