[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3FAecNwuUtCQepTXNS4-u90ARtUGm5oHkfRgZRGxRtQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3499","product-feed-pro-for-woocommerce-by-adtribes-product-feeds-for-woocommerce-cross-site-request-forgery-to-multiple-admini","Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions","The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","woo-product-feed-pro",null,">=13.4.6 \u003C=13.5.2.1","13.5.2.2","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2026-04-07 12:49:34","2026-04-08 01:24:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5b645b88-85e0-4e89-bd95-444ab1db6df8?source=api-prod",1,[22,23,24,25,26,27,28,29],"changelog.txt","classes\u002Fclass-get-products.php","includes\u002FClasses\u002FFeeds\u002FOpenAI_Product_Feed.php","includes\u002FClasses\u002FUsage.php","includes\u002FClasses\u002FWP_Admin.php","includes\u002FFactories\u002FProduct_Feed.php","languages\u002Fwoo-product-feed-pro.pot","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-3499\n\n## 1. Vulnerability Summary\nThe **Product Feed PRO for WooCommerce** plugin (versions 13.4.6 - 13.5.2.1) is vulnerable to **Cross-Site Request Forgery (CSRF)**. Multiple administrative AJAX handlers fail to implement or correctly validate nonces. This allows an attacker to trick a logged-in administrator into triggering sensitive actions, such as database migrations, clearing caches, altering feed settings, and deleting feed data.\n\n## 2. Attack Vector Analysis\n- **Endpoints:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** \n    1. `woosea_migrate_to_custom_post_type`\n    2. `adt_clear_custom_attributes_product_meta_keys`\n    3. `woosea_update_file_url_to_lower_case`\n    4. `woosea_use_legacy_filters_and_rules`\n    5. `woosea_fix_duplicate_feed`\n- **Method:** POST\n- **Authentication Required:** Administrator (via CSRF)\n- **Preconditions:** A site administrator must be logged in and tricked into visiting a malicious page that submits a request to the target site.\n\n## 3. Code Flow\n1.  **Entry Point:** The plugin registers AJAX actions in `includes\u002FClasses\u002FProduct_Feed_Admin.php` (inferred from `.pot` file references) or a similar admin handler class using `add_action( 'wp_ajax_woosea_...', ... )`.\n2.  **JS Trigger:** In `includes\u002FClasses\u002FWP_Admin.php`, the plugin enqueues `woosea_manage.js`. This script handles UI buttons on the \"Manage Feeds\" page.\n3.  **Vulnerable Sink:** The registered callback functions (e.g., `ajax_use_legacy_filters_and_rules`) execute administrative logic. In the affected versions, these functions lack a call to `check_ajax_referer()` or `wp_verify_nonce()`, or they use a static\u002Fpredictable token that is not properly validated.\n4.  **Execution:** The function performs the action (e.g., `update_option('adt_use_legacy_filters_and_rules', 'yes')`) without verifying the intent of the user.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, nonce validation is **missing or incorrect**.\n- **Primary Strategy:** Attempt the exploit **without a nonce**. The `woosea_manage_params` localization in `includes\u002FClasses\u002FWP_Admin.php` notably lacks a nonce key, suggesting the developers simply didn't include one in the AJAX request data for these specific actions.\n- **Secondary Strategy (If a nonce is checked but incorrectly):** If the handler expects a parameter like `security`, check if it accepts the generic WordPress REST nonce or a nonce intended for a different action.\n- **Variable Identification:** Check the global `adtObj` or `woosea_manage_params` in the browser console.\n    - Path: `window.woosea_manage_params`\n\n## 5. Exploitation Strategy\nWe will target the `woosea_use_legacy_filters_and_rules` action as it provides a clear, verifiable change in the database.\n\n### Step-by-Step Exploit (using `http_request`):\n\n1.  **Identify the Target Action:** `woosea_use_legacy_filters_and_rules`.\n2.  **Prepare Payload:** Craft a POST request that toggles the legacy filters setting.\n3.  **Execute Request:**\n    - **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Method:** `POST`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:** `action=woosea_use_legacy_filters_and_rules`\n4.  **Expected Response:** A successful trigger usually returns `1`, `true`, or a JSON success message like `{\"success\":true}`.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install Product Feed PRO for WooCommerce version **13.5.2.1**.\n2.  **Activate Plugin:** Ensure the plugin is active.\n3.  **Verify Initial State:**\n    - Run: `wp option get adt_use_legacy_filters_and_rules`\n    - Note if it is 'no' or if the option doesn't exist.\n\n## 7. Expected Results\n- The AJAX request to `admin-ajax.php` should return a `200 OK` status.\n- The response body should indicate success (e.g., `1`).\n- The internal state of the WordPress site (specifically the targeted option) will be modified.\n\n## 8. Verification Steps\nAfter sending the HTTP request, use WP-CLI to confirm the administrative action was performed:\n\n```bash\n# Verify the legacy filters toggle\nwp option get adt_use_legacy_filters_and_rules\n\n# If targeting fix_duplicate_feed, verify total feed counts (requires setup of duplicates)\nwp post list --post_type=adt_product_feed --format=count\n```\n\n## 9. Alternative Approaches\nIf `woosea_use_legacy_filters_and_rules` is patched or behaves differently, target the **Duplicate Feed Fixer**:\n- **Action:** `woosea_fix_duplicate_feed`\n- **Purpose:** Deletes duplicate feed posts.\n- **Verification:** Create two feeds with identical names and check if one is deleted after the AJAX call.\n\nIf the AJAX handlers require a generic \"security\" token, attempt to extract it from the \"About\" page where other AdTribes nonces are often localized:\n1. `wp post create --post_type=page --post_content='[woosea_manage_feeds]'` (if shortcode exists)\n2. `browser_navigate` to the created page.\n3. `browser_eval(\"window.woosea_manage_params\")` to find any potential tokens.","Product Feed PRO for WooCommerce (versions 13.4.6 - 13.5.2.1) contains multiple Cross-Site Request Forgery (CSRF) vulnerabilities in its AJAX handlers. The plugin's security checks were optional, only validating the 'security' nonce if it was explicitly provided in the request, allowing unauthenticated attackers to bypass validation and trigger administrative actions like toggling settings, clearing caches, or deleting feed data.","\u002F\u002F includes\u002FClasses\u002FUsage.php\n\n\u002F\u002F Line 759 - Vulnerable pattern where nonce check only triggers if 'security' is present\nif ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) {\n    wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) );\n}\n\n---\n\n\u002F\u002F Line 789 - Similar vulnerable pattern in another handler\nif ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) {\n    wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-feed-pro\u002F13.5.2.1\u002Fincludes\u002FClasses\u002FUsage.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-feed-pro\u002F13.5.2.2\u002Fincludes\u002FClasses\u002FUsage.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-feed-pro\u002F13.5.2.1\u002Fincludes\u002FClasses\u002FUsage.php\t2026-02-17 06:10:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-feed-pro\u002F13.5.2.2\u002Fincludes\u002FClasses\u002FUsage.php\t2026-03-06 05:06:42.000000000 +0000\n@@ -756,7 +756,7 @@\n             wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'woo-product-feed-pro' ) ) );\n         }\n \n-        if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) {\n+        if ( ! isset( $_REQUEST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'woosea_ajax_nonce' ) ) {\n             wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) );\n         }\n \n@@ -786,7 +786,7 @@\n             wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'woo-product-feed-pro' ) ) );\n         }\n \n-        if ( isset( $_REQUEST['security'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) {\n+        if ( ! isset( $_REQUEST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['security'] ) ), 'adt_pfp_allow_tracking_nonce' ) ) {\n             wp_send_json_error( __( 'Invalid security token', 'woo-product-feed-pro' ) );\n         }","The exploit targets administrative AJAX handlers via the WordPress admin-ajax.php endpoint. \n\n1.  **Identify Target Action**: Select one of the vulnerable AJAX actions, such as `woosea_use_legacy_filters_and_rules` or `woosea_fix_duplicate_feed`.\n2.  **Craft Forged Request**: Build a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the body `action=woosea_use_legacy_filters_and_rules`. \n3.  **Omit Nonce**: Crucially, do not include the `security` parameter. Because the vulnerable versions of the plugin only validate the nonce if the `security` parameter exists, omitting it bypasses the validation logic entirely.\n4.  **Admin Interaction**: Trick a logged-in site administrator into clicking a link or visiting a page that executes the POST request (e.g., via a hidden auto-submitting HTML form).\n5.  **Result**: The plugin executes the administrative logic, such as toggling the `adt_use_legacy_filters_and_rules` option, without the admin's conscious intent.","gemini-3-flash-preview","2026-04-17 20:52:40","2026-04-17 20:53:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","13.5.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags\u002F13.5.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-feed-pro.13.5.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags\u002F13.5.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-feed-pro.13.5.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags"]