CVE-2026-39671
Cross-Site Request Forgery in WooCommerce Extra Fees Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dotstore | extra_fees_plugin_for_woocommerce | to 4.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39671 is a Cross-Site Request Forgery (CSRF) vulnerability in the Dotstore Extra Fees Plugin for WooCommerce, specifically versions up to and including 4.3.3.
This vulnerability allows a malicious actor to trick users with higher privileges into performing unwanted actions while they are authenticated. This can happen if the user clicks a malicious link, visits a crafted webpage, or submits a malicious form.
The vulnerability is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 7.1, indicating a moderate risk level.
Exploitation requires user interaction and a privileged user role.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to perform unauthorized actions on your WooCommerce site if a privileged user is tricked into interacting with malicious content.
Such actions could include changes to fees or checkout conditions that the attacker wants to impose without the legitimate user's consent.
However, the issue is considered low priority with no impactful threat and is unlikely to be widely exploited.
Exploitation requires that the attacker convinces a privileged user to interact with malicious content, so user interaction is necessary.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue affecting the Extra Fees Plugin for WooCommerce versions up to 4.3.3. Detection typically involves verifying the plugin version installed on your WordPress site.
Since this is a web application vulnerability, network-based detection commands are not directly applicable. Instead, you can check the plugin version via WordPress admin dashboard or by running commands on the server hosting WordPress.
- Use WP-CLI to check the plugin version: wp plugin list | grep woo-conditional-product-fees-for-checkout
- Manually verify the plugin version in the WordPress admin panel under Plugins.
There are no specific network commands or signatures provided to detect exploitation attempts of this CSRF vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Extra Fees Plugin for WooCommerce to a version later than 4.3.3 if such an update becomes available.
Since no official patch is currently available, if updating is not possible, seek assistance from your hosting provider or web developers to implement custom mitigations or workarounds.
Additionally, limit the number of privileged users who can perform sensitive actions in the WordPress admin area to reduce the risk of exploitation.
Educate privileged users to avoid clicking on suspicious links or visiting untrusted pages while authenticated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the Cross-Site Request Forgery (CSRF) vulnerability in the Dotstore Extra Fees Plugin for WooCommerce on compliance with common standards and regulations such as GDPR or HIPAA.