CVE-2026-1672
Received Received - Intake
CSRF in BEAR WooCommerce Plugin Allows Unauthorized Product Updates

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1672
EUVD
EUVD-2026-20439
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pluginus bulk_editor_and_products_manager_professional_for_woocommerce to 1.1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to update WooCommerce product data by exploiting a Cross-Site Request Forgery (CSRF) flaw. While this impacts the integrity of product information, there is no direct indication from the provided information that it affects personal data or sensitive health information.

Therefore, based on the available data, this vulnerability primarily risks data integrity related to product management rather than confidentiality or privacy of personal data, which are the main concerns of standards like GDPR or HIPAA.

As such, the impact on compliance with GDPR, HIPAA, or similar regulations is not explicitly stated or directly implied in the provided context.

Executive Summary

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.1.5.

This vulnerability exists because the plugin's woobe_redraw_table_row() function lacks nonce validation, which is a security measure to verify legitimate requests.

As a result, an unauthenticated attacker can trick a site administrator or shop manager into performing an action, such as clicking a malicious link, which then allows the attacker to update WooCommerce product data including prices, descriptions, and other product fields.

Impact Analysis

This vulnerability can allow an attacker to modify WooCommerce product data without proper authorization.

  • Prices of products can be changed, potentially causing financial loss or confusion.
  • Product descriptions and other fields can be altered, which may mislead customers or damage the store's reputation.
  • Since the attack requires tricking an administrator or shop manager into clicking a link, it exploits user interaction to bypass authentication.
Mitigation Strategies

To mitigate this vulnerability, you should update the BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin to a version later than 1.1.5 where the nonce validation issue in the woobe_redraw_table_row() function is fixed.

Additionally, ensure that only trusted administrators or shop managers have access to perform product updates, and educate them to avoid clicking on suspicious links that could trigger forged requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart