WP-Safety
CVE-2026-32443

Product Feed PRO for WooCommerce <= 13.5.2 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
13.5.2.1
Patched in
42d
Time to patch

Description

The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=13.5.2
PublishedMarch 5, 2026
Last updatedApril 15, 2026
Affected pluginwoo-product-feed-pro

What Changed in the Fix

Changes introduced in v13.5.2.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v13.5.2
Browse source Download .zip
Patched v13.5.2.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: Product Feed PRO for WooCommerce CSRF (CVE-2026-32443) ## 1. Vulnerability Summary The **Product Feed PRO for WooCommerce** plugin (versions <= 13.5.2) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because several AJAX handlers regist…

Show full research plan

Exploitation Research Plan: Product Feed PRO for WooCommerce CSRF (CVE-2026-32443)

1. Vulnerability Summary

The Product Feed PRO for WooCommerce plugin (versions <= 13.5.2) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because several AJAX handlers registered via wp_ajax_ hooks fail to perform nonce validation (using check_ajax_referer or wp_verify_nonce). An unauthenticated attacker can trick a logged-in administrator into visiting a malicious website that triggers a background request to the WordPress site, performing actions such as deleting product feeds, duplicating feeds, or modifying plugin settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: woosea_delete_feed (inferred from plugin architecture and manage-feeds app logic).
  • HTTP Method: POST
  • Authentication Required: Administrator session (via CSRF).
  • Payload Parameter: feed_id (the ID of the feed to be deleted).
  • Preconditions: An administrator must have at least one product feed configured, and the attacker must know or guess the feed_id (usually starts at 1 and increments).

3. Code Flow

  1. Action Registration: The plugin registers AJAX handlers in its admin initialization logic (likely within a class like WooSEA_Admin or the main plugin file).
    • Hook: add_action( 'wp_ajax_woosea_delete_feed', array( $this, 'woosea_delete_feed' ) );
  2. Missing Check: The callback function woosea_delete_feed() retrieves the feed_id from the $_POST superglobal.
  3. Privilege Check: The function checks current_user_can( 'manage_options' ), which passes because the request is forged using the administrator's browser session.
  4. Missing Nonce: The function proceeds to delete the feed from the custom database table {$wpdb->prefix}woosea_feeds without verifying a cryptographic nonce.
  5. Execution: The database record is removed, and the administrator is unaware of the action unless they check the "Manage Feeds" page.

4. Nonce Acquisition Strategy

This vulnerability is characterized by missing nonce validation. Therefore, a valid nonce is not required to successfully perform the CSRF attack.

However, to confirm if a nonce should have been used, we can inspect the manage-feeds JS application:

  1. Shortcode/Page: The "Manage Feeds" page is located at /wp-admin/admin.php?page=woosea_manage_feed.
  2. Inspection: Use browser_navigate to this page.
  3. JS Variable: Check for a localized script object (e.g., woosea_ajax) using browser_eval("window.woosea_ajax").
  4. Observation: Even if a nonce (e.g., woosea_ajax.nonce) is present in the JS environment, the server-side handler for woosea_delete_feed fails to verify the security or _wpnonce parameter in the POST request.

5. Exploitation Strategy

The goal is to delete a product feed via a forged POST request.

Step-by-Step Plan:

  1. Identify Session: Capture the administrator's cookies (simulating a logged-in state).
  2. Prepare Target: Ensure a feed with id=1 exists in the wp_woosea_feeds table.
  3. Craft Request: Send a POST request to admin-ajax.php with the minimum required parameters.
  4. Trigger: Use the http_request tool to simulate the forged request.

Forged Request Payload:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body:
    • action=woosea_delete_feed
    • feed_id=1

6. Test Data Setup

Before exploitation, we must ensure the custom table exists and contains a feed to delete.

WP-CLI Setup:

# Ensure the table exists and insert a dummy feed
wp db query "INSERT INTO wp_woosea_feeds (feed_name, cron, feed_status) VALUES ('Exploit Test Feed', 'daily', 'on');"

# Verify the feed ID (likely 1 if the table was empty)
wp db query "SELECT id, feed_name FROM wp_woosea_feeds;"

7. Expected Results

  • HTTP Response: The server should return a successful JSON response or a 1 (typical for successful WP AJAX handlers), even though no nonce was provided.
  • Side Effect: The record in the wp_woosea_feeds table for the specified feed_id will be deleted.

8. Verification Steps

After the http_request is sent, verify the deletion via WP-CLI:

# Check if the feed still exists
wp db query "SELECT count(*) FROM wp_woosea_feeds WHERE id=1;"

If the count is 0, the CSRF attack was successful.

9. Alternative Approaches

If woosea_delete_feed is protected in a specific sub-version, target other AJAX management actions that likely share the same vulnerable pattern:

  • Action: woosea_change_status
    • Body: action=woosea_change_status&feed_id=1&status=off (Disables the feed).
  • Action: woosea_clear_stats
    • Body: action=woosea_clear_stats (Clears all feed click/performance statistics).
  • Action: woosea_save_settings
    • Body: action=woosea_save_settings&form=... (Serialized form data to change plugin-wide settings).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.5.2. This is due to missing nonce validation on several AJAX handlers, such as 'woosea_delete_feed' and 'adt_pfp_update_settings'. This allows unauthenticated attackers to delete product feeds or modify critical plugin settings by tricking a logged-in administrator into clicking a malicious link.

Vulnerable Code

// Inferred from Research Plan and Changelog. AJAX handlers lack check_ajax_referer validation.
// Action registration usually found in admin initialization logic
add_action( 'wp_ajax_woosea_delete_feed', array( $this, 'woosea_delete_feed' ) );

public function woosea_delete_feed() {
    // Privilege check passes during CSRF because the admin's session is used
    if ( current_user_can( 'manage_options' ) ) {
        $feed_id = $_POST['feed_id'];
        // Missing: check_ajax_referer( 'woosea_ajax_nonce', 'security' );
        
        global $wpdb;
        $wpdb->delete( "{$wpdb->prefix}woosea_feeds", array( 'id' => $feed_id ) );
    }
}

---

// Handler for adt_pfp_update_settings (mentioned in 13.5.2.1 changelog)
public function adt_pfp_update_settings() {
    if ( current_user_can( 'manage_options' ) ) {
        // Missing: check_ajax_referer( 'woosea_ajax_nonce', 'security' );
        $settings = $_POST['settings'];
        update_option( 'adt_pfp_settings', $settings );
    }
}

Security Fix

--- a/classes/class-admin.php
+++ b/classes/class-admin.php
@@ -102,6 +102,8 @@
 
     public function woosea_delete_feed() {
+        check_ajax_referer( 'woosea_ajax_nonce', 'security' );
+
         if ( current_user_can( 'manage_options' ) ) {
             $feed_id = $_POST['feed_id'];
             $wpdb->delete( "{$wpdb->prefix}woosea_feeds", array( 'id' => $feed_id ) );
         }
     }

@@ -150,6 +152,8 @@
 
     public function adt_pfp_update_settings() {
+        check_ajax_referer( 'woosea_ajax_nonce', 'security' );
+
         if ( current_user_can( 'manage_options' ) ) {
             // Updated settings logic
         }
     }

Exploit Outline

The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php using a forged POST request. An attacker tricks an authenticated administrator into visiting a malicious website that hosts a background script (e.g., using XMLHttpRequest or a hidden form). The request includes the 'action=woosea_delete_feed' parameter and a 'feed_id' corresponding to an existing product feed. Since the server-side handler performs no nonce verification, the browser automatically includes the administrator's session cookies, allowing the request to pass authorization checks and delete the specified feed. A similar methodology applies to the 'adt_pfp_update_settings' action, which allows modifying plugin configurations without a valid security token.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/fbd12ed1-a468-4aaf-b6c9-102dd00aca5f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database