BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion
Description
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.1.5# Exploitation Research Plan: CVE-2026-1673 (BEAR – Bulk Editor CSRF) ## 1. Vulnerability Summary The **BEAR – Bulk Editor and Products Manager Professional for WooCommerce** plugin (versions <= 1.1.5) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the `woobe_delete…
Show full research plan
Exploitation Research Plan: CVE-2026-1673 (BEAR – Bulk Editor CSRF)
1. Vulnerability Summary
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin (versions <= 1.1.5) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the woobe_delete_tax_term() function, which is responsible for deleting WooCommerce taxonomy terms. This function fails to implement a nonce check (e.g., check_ajax_referer or wp_verify_nonce), allowing an attacker to perform unauthorized deletions by tricking an authenticated administrator or shop manager into clicking a malicious link or visiting a forged page.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
woobe_delete_tax_term(inferred from function name) - HTTP Method: POST
- Vulnerable Parameter:
term_id(the ID of the taxonomy term) andtaxonomy(the slug of the taxonomy, e.g.,product_cat) - Authentication Level: Requires an active session of a user with
manage_optionsormanage_woocommercecapabilities (Administrator or Shop Manager). - Preconditions: The attacker must know (or guess) the ID of the taxonomy term they wish to delete.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX action for authenticated users:
add_action('wp_ajax_woobe_delete_tax_term', 'woobe_delete_tax_term');(inferred). - Vulnerable Function: The
woobe_delete_tax_term()function is called. - Missing Security Check: The function lacks a call to
check_ajax_referer()orwp_verify_nonce(). It may still perform a capability check likecurrent_user_can('manage_options'), but this does not protect against CSRF. - Sink: The function retrieves
term_idandtaxonomyfrom the$_POSTsuperglobal and passes them to the WordPress core functionwp_delete_term($term_id, $taxonomy).
4. Nonce Acquisition Strategy
According to the vulnerability description, this vulnerability is characterized by missing nonce validation.
- Strategy: No nonce is required for exploitation. The exploitation strategy will focus on demonstrating that a request made by an authenticated administrator succeeds even when no nonce parameter (e.g.,
security,_wpnonce, ornonce) is provided.
5. Exploitation Strategy
The goal is to demonstrate that an authenticated user can be forced to delete a taxonomy term without their consent.
Step-by-step Plan:
- Setup: Create a dummy product category to serve as the deletion target.
- Identify Target: Determine the
term_idof the created category. - Execution: Use the
http_requesttool to send a POST request toadmin-ajax.phpmimicking a CSRF attack (performing the action as the admin without a nonce). - Verification: Confirm the term is gone using WP-CLI.
Request Details:
- URL:
{{base_url}}/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=woobe_delete_tax_term&term_id=[TARGET_TERM_ID]&taxonomy=product_cat
6. Test Data Setup
Before executing the exploit, the following environment state must be established:
- Install Plugin: Ensure
woo-bulk-editorversion 1.1.5 is installed and active. - Create Victim Term:
wp term create product_cat "CSRF Target Category" --description="This should be deleted" - Capture ID: Get the ID of the newly created term:
wp term list product_cat --field=term_id --name="CSRF Target Category"
7. Expected Results
- HTTP Response: The server should return a successful response (likely a JSON success message or
1if the handler exits simply). - System Impact: The taxonomy term with the specified
term_idwill be permanently removed from the WooCommerce store.
8. Verification Steps
After the http_request is sent, verify the deletion via WP-CLI:
# Attempt to get the term by name
wp term get product_cat "CSRF Target Category"
- Vulnerable Result: WP-CLI returns an error:
Error: Term does not exist. - Fixed/Safe Result: WP-CLI returns the term details, indicating the deletion request was rejected.
9. Alternative Approaches
If woobe_delete_tax_term is not the exact action name, audit the plugin files for any instances of add_action('wp_ajax_... to find the correct registration:
grep -rn "wp_ajax_" wp-content/plugins/woo-bulk-editor/
If the plugin uses a specific parameter for the term ID other than term_id (e.g., id or tid), this can be identified by inspecting the function body in the plugin's source code (likely in classes/models/settings.php or similar).
Summary
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to validate a nonce in its taxonomy deletion AJAX handler. An attacker can exploit this to trick an authenticated administrator into deleting product categories, tags, or other WooCommerce taxonomy terms.
Vulnerable Code
// Inferred from plugin architecture: woo-bulk-editor/index.php or classes/models/settings.php public function woobe_delete_tax_term() { // Potential capability check exists, but nonce validation is missing if (!current_user_can('manage_woocommerce')) { die('No access'); } $term_id = intval($_POST['term_id']); $taxonomy = sanitize_text_field($_POST['taxonomy']); // The sink where the term is deleted without CSRF protection wp_delete_term($term_id, $taxonomy); echo 'done'; exit; }
Security Fix
@@ -10,6 +10,7 @@ public function woobe_delete_tax_term() { + check_ajax_referer('woobe_nonce', 'nonce'); if (!current_user_can('manage_woocommerce')) { die('No access'); }
Exploit Outline
The exploit targets the AJAX action 'woobe_delete_tax_term' via a Cross-Site Request Forgery (CSRF). 1. Target Endpoint: /wp-admin/admin-ajax.php 2. HTTP Method: POST 3. Authentication: Requires an active session of a user with 'manage_woocommerce' or 'manage_options' capabilities (typically an Administrator or Shop Manager). 4. Payload: - action: woobe_delete_tax_term - term_id: The ID of the taxonomy term to be deleted (e.g., 123) - taxonomy: The slug of the taxonomy (e.g., 'product_cat') 5. Execution: The attacker creates a malicious HTML page containing a form that auto-submits these parameters to the target site. When the victim (admin) visits the malicious page, the browser automatically sends the request with the victim's authentication cookies, triggering the deletion since no security nonce is required.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.