CVE-2026-6932
Cross-Site Request Forgery in WooCommerce Minimum Weight Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | minimum_weight_plugin | to 3.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack in all versions up to and including 3.0.1. This vulnerability exists because the plugin's settings update handler in the file edit-weight.php lacks nonce verification. As a result, an attacker can trick a site administrator into clicking a malicious link or visiting a page controlled by the attacker, which sends a forged POST request to modify the minimum order weight setting without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to change the minimum order weight setting on a Woo Commerce site by exploiting the administrator's session. While it does not directly compromise confidentiality or availability, it can lead to unauthorized changes in the store's configuration, potentially disrupting business operations or causing confusion for customers.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists due to missing nonce verification on the settings update handler in edit-weight.php of the Woo Commerce Minimum Weight plugin for WordPress. To mitigate this vulnerability immediately, you should update the plugin to a version later than 3.0.1 where this issue is fixed.
Additionally, as a temporary measure, restrict access to the plugin's settings page to trusted administrators only and avoid clicking on suspicious links or visiting untrusted pages while logged in as an administrator.