CVE-2026-1672
CSRF in BEAR WooCommerce Plugin Allows Unauthorized Product Updates
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluginus | bulk_editor_and_products_manager_professional_for_woocommerce | to 1.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The BEAR β Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.1.5.
This vulnerability exists because the plugin's woobe_redraw_table_row() function lacks nonce validation, which is a security measure to verify legitimate requests.
As a result, an unauthenticated attacker can trick a site administrator or shop manager into performing an action, such as clicking a malicious link, which then allows the attacker to update WooCommerce product data including prices, descriptions, and other product fields.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify WooCommerce product data without proper authorization.
- Prices of products can be changed, potentially causing financial loss or confusion.
- Product descriptions and other fields can be altered, which may mislead customers or damage the store's reputation.
- Since the attack requires tricking an administrator or shop manager into clicking a link, it exploits user interaction to bypass authentication.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the BEAR β Bulk Editor and Products Manager Professional for WooCommerce plugin to a version later than 1.1.5 where the nonce validation issue in the woobe_redraw_table_row() function is fixed.
Additionally, ensure that only trusted administrators or shop managers have access to perform product updates, and educate them to avoid clicking on suspicious links that could trigger forged requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to update WooCommerce product data by exploiting a Cross-Site Request Forgery (CSRF) flaw. While this impacts the integrity of product information, there is no direct indication from the provided information that it affects personal data or sensitive health information.
Therefore, based on the available data, this vulnerability primarily risks data integrity related to product management rather than confidentiality or privacy of personal data, which are the main concerns of standards like GDPR or HIPAA.
As such, the impact on compliance with GDPR, HIPAA, or similar regulations is not explicitly stated or directly implied in the provided context.