CVE-2026-3499
Received Received - Intake
CSRF Vulnerability in Product Feed PRO for WooCommerce Plugin

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3499
EUVD
EUVD-2026-20026
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adtribes product_feed_pro_for_woocommerce From 13.4.6 (inc) to 13.5.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Product Feed PRO for WooCommerce plugin for WordPress, specifically versions 13.4.6 through 13.5.2.1. It is a Cross-Site Request Forgery (CSRF) issue caused by missing or incorrect nonce validation on several AJAX functions.

Because of this, an unauthenticated attacker can trick a site administrator into performing certain actions by sending forged requests. These actions include triggering feed migration, clearing custom-attribute transient caches, rewriting feed file URLs to lowercase, toggling legacy filter and rule settings, and deleting duplicated feed posts.

Impact Analysis

The vulnerability can have a severe impact as it allows attackers to perform high-privilege actions without authentication by tricking administrators into clicking malicious links.

  • Triggering feed migration unexpectedly, which could disrupt normal feed operations.
  • Clearing custom-attribute transient caches, potentially causing data loss or inconsistent behavior.
  • Rewriting feed file URLs to lowercase, which might break URL references or cause errors.
  • Toggling legacy filter and rule settings, possibly changing how product feeds are processed.
  • Deleting duplicated feed posts, leading to loss of feed data.

Overall, the vulnerability can compromise the integrity, availability, and reliability of the product feed system.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform actions such as triggering feed migration, clearing caches, rewriting URLs, toggling settings, and deleting posts by tricking a site administrator into clicking a link. This can lead to unauthorized changes and potential data integrity issues.

Such unauthorized actions could impact compliance with standards like GDPR and HIPAA by compromising data integrity, availability, and potentially confidentiality if sensitive data is affected. However, the provided information does not explicitly detail the direct compliance impact.

Detection Guidance

This vulnerability involves missing or incorrect nonce validation in specific AJAX functions of the Product Feed PRO for WooCommerce plugin. Detection would typically involve checking for unauthorized or forged AJAX requests targeting the vulnerable functions: ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed.

Since the vulnerability requires an attacker to trick a site administrator into performing an action, monitoring for unusual or unexpected AJAX requests in web server logs or using a web application firewall (WAF) to detect suspicious POST requests to these AJAX endpoints could help.

No specific commands or detection scripts are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the Product Feed PRO for WooCommerce plugin to a version later than 13.5.2.1 where the nonce validation issue is fixed.

If an update is not immediately possible, restricting access to the vulnerable AJAX endpoints by implementing additional authentication or firewall rules can reduce risk.

Additionally, educating site administrators to avoid clicking on suspicious links can help prevent exploitation since the attack requires user interaction.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart