[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRIQNilyR1xXRBXsUDmYAwYGvmWbc2xo2vV53cnBuFro":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1673","bear-bulk-editor-and-products-manager-professional-for-woocommerce-by-pluginusnet-cross-site-request-forgery-to-taxonomy","BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net \u003C= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion","The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.","woo-bulk-editor",null,"\u003C=1.1.5","1.1.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-07 00:00:00","2026-04-08 11:17:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1673 (BEAR – Bulk Editor CSRF)\n\n## 1. Vulnerability Summary\nThe **BEAR – Bulk Editor and Products Manager Professional for WooCommerce** plugin (versions \u003C= 1.1.5) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the `woobe_delete_tax_term()` function, which is responsible for deleting WooCommerce taxonomy terms. This function fails to implement a nonce check (e.g., `check_ajax_referer` or `wp_verify_nonce`), allowing an attacker to perform unauthorized deletions by tricking an authenticated administrator or shop manager into clicking a malicious link or visiting a forged page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `woobe_delete_tax_term` (inferred from function name)\n- **HTTP Method:** POST\n- **Vulnerable Parameter:** `term_id` (the ID of the taxonomy term) and `taxonomy` (the slug of the taxonomy, e.g., `product_cat`)\n- **Authentication Level:** Requires an active session of a user with `manage_options` or `manage_woocommerce` capabilities (Administrator or Shop Manager).\n- **Preconditions:** The attacker must know (or guess) the ID of the taxonomy term they wish to delete.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an AJAX action for authenticated users:\n   `add_action('wp_ajax_woobe_delete_tax_term', 'woobe_delete_tax_term');` (inferred).\n2. **Vulnerable Function:** The `woobe_delete_tax_term()` function is called.\n3. **Missing Security Check:** The function lacks a call to `check_ajax_referer()` or `wp_verify_nonce()`. It may still perform a capability check like `current_user_can('manage_options')`, but this does not protect against CSRF.\n4. **Sink:** The function retrieves `term_id` and `taxonomy` from the `$_POST` superglobal and passes them to the WordPress core function `wp_delete_term($term_id, $taxonomy)`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this vulnerability is characterized by **missing nonce validation**. \n- **Strategy:** No nonce is required for exploitation. The exploitation strategy will focus on demonstrating that a request made by an authenticated administrator succeeds even when no nonce parameter (e.g., `security`, `_wpnonce`, or `nonce`) is provided.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an authenticated user can be forced to delete a taxonomy term without their consent.\n\n**Step-by-step Plan:**\n1. **Setup:** Create a dummy product category to serve as the deletion target.\n2. **Identify Target:** Determine the `term_id` of the created category.\n3. **Execution:** Use the `http_request` tool to send a POST request to `admin-ajax.php` mimicking a CSRF attack (performing the action as the admin without a nonce).\n4. **Verification:** Confirm the term is gone using WP-CLI.\n\n**Request Details:**\n- **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=woobe_delete_tax_term&term_id=[TARGET_TERM_ID]&taxonomy=product_cat\n  ```\n\n## 6. Test Data Setup\nBefore executing the exploit, the following environment state must be established:\n1. **Install Plugin:** Ensure `woo-bulk-editor` version 1.1.5 is installed and active.\n2. **Create Victim Term:**\n   ```bash\n   wp term create product_cat \"CSRF Target Category\" --description=\"This should be deleted\"\n   ```\n3. **Capture ID:** Get the ID of the newly created term:\n   ```bash\n   wp term list product_cat --field=term_id --name=\"CSRF Target Category\"\n   ```\n\n## 7. Expected Results\n- **HTTP Response:** The server should return a successful response (likely a JSON success message or `1` if the handler exits simply).\n- **System Impact:** The taxonomy term with the specified `term_id` will be permanently removed from the WooCommerce store.\n\n## 8. Verification Steps\nAfter the `http_request` is sent, verify the deletion via WP-CLI:\n```bash\n# Attempt to get the term by name\nwp term get product_cat \"CSRF Target Category\"\n```\n- **Vulnerable Result:** WP-CLI returns an error: `Error: Term does not exist.`\n- **Fixed\u002FSafe Result:** WP-CLI returns the term details, indicating the deletion request was rejected.\n\n## 9. Alternative Approaches\nIf `woobe_delete_tax_term` is not the exact action name, audit the plugin files for any instances of `add_action('wp_ajax_...` to find the correct registration:\n```bash\ngrep -rn \"wp_ajax_\" wp-content\u002Fplugins\u002Fwoo-bulk-editor\u002F\n```\nIf the plugin uses a specific parameter for the term ID other than `term_id` (e.g., `id` or `tid`), this can be identified by inspecting the function body in the plugin's source code (likely in `classes\u002Fmodels\u002Fsettings.php` or similar).","The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin is vulnerable to Cross-Site Request Forgery (CSRF) because it fails to validate a nonce in its taxonomy deletion AJAX handler. An attacker can exploit this to trick an authenticated administrator into deleting product categories, tags, or other WooCommerce taxonomy terms.","\u002F\u002F Inferred from plugin architecture: woo-bulk-editor\u002Findex.php or classes\u002Fmodels\u002Fsettings.php\n\npublic function woobe_delete_tax_term() {\n    \u002F\u002F Potential capability check exists, but nonce validation is missing\n    if (!current_user_can('manage_woocommerce')) {\n        die('No access');\n    }\n\n    $term_id = intval($_POST['term_id']);\n    $taxonomy = sanitize_text_field($_POST['taxonomy']);\n\n    \u002F\u002F The sink where the term is deleted without CSRF protection\n    wp_delete_term($term_id, $taxonomy);\n    echo 'done';\n    exit;\n}","--- a\u002Fwoo-bulk-editor\u002Findex.php\n+++ b\u002Fwoo-bulk-editor\u002Findex.php\n@@ -10,6 +10,7 @@\n \n     public function woobe_delete_tax_term() {\n+        check_ajax_referer('woobe_nonce', 'nonce');\n         if (!current_user_can('manage_woocommerce')) {\n             die('No access');\n         }","The exploit targets the AJAX action 'woobe_delete_tax_term' via a Cross-Site Request Forgery (CSRF). \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. HTTP Method: POST\n3. Authentication: Requires an active session of a user with 'manage_woocommerce' or 'manage_options' capabilities (typically an Administrator or Shop Manager).\n4. Payload: \n   - action: woobe_delete_tax_term\n   - term_id: The ID of the taxonomy term to be deleted (e.g., 123)\n   - taxonomy: The slug of the taxonomy (e.g., 'product_cat')\n5. Execution: The attacker creates a malicious HTML page containing a form that auto-submits these parameters to the target site. When the victim (admin) visits the malicious page, the browser automatically sends the request with the victim's authentication cookies, triggering the deletion since no security nonce is required.","gemini-3-flash-preview","2026-04-17 21:15:04","2026-04-17 21:15:25",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-bulk-editor\u002Ftags"]