[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0eMv4eWugNwgAHs1r0sKUW1vNwElh3pgNkN4dD_AAFo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-32443","product-feed-pro-for-woocommerce-cross-site-request-forgery-2","Product Feed PRO for WooCommerce \u003C= 13.5.2 - Cross-Site Request Forgery","The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","woo-product-feed-pro",null,"\u003C=13.5.2","13.5.2.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-03-05 00:00:00","2026-04-15 21:20:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffbd12ed1-a468-4aaf-b6c9-102dd00aca5f?source=api-prod",42,[22,23,24,25,26],"changelog.txt","classes\u002Fclass-get-products.php","dist\u002F.vite\u002Fmanifest.json","dist\u002Fapps\u002Ffilters-rules-builder\u002Findex-legacy.pA94xvxx.js","dist\u002Fapps\u002Ffilters-rules-builder\u002Findex.BtodGOm-.js","researched",false,3,"# Exploitation Research Plan: Product Feed PRO for WooCommerce CSRF (CVE-2026-32443)\n\n## 1. Vulnerability Summary\nThe **Product Feed PRO for WooCommerce** plugin (versions \u003C= 13.5.2) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists because several AJAX handlers registered via `wp_ajax_` hooks fail to perform nonce validation (using `check_ajax_referer` or `wp_verify_nonce`). An unauthenticated attacker can trick a logged-in administrator into visiting a malicious website that triggers a background request to the WordPress site, performing actions such as deleting product feeds, duplicating feeds, or modifying plugin settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Vulnerable Action**: `woosea_delete_feed` (inferred from plugin architecture and `manage-feeds` app logic).\n- **HTTP Method**: `POST`\n- **Authentication Required**: Administrator session (via CSRF).\n- **Payload Parameter**: `feed_id` (the ID of the feed to be deleted).\n- **Preconditions**: An administrator must have at least one product feed configured, and the attacker must know or guess the `feed_id` (usually starts at 1 and increments).\n\n## 3. Code Flow\n1. **Action Registration**: The plugin registers AJAX handlers in its admin initialization logic (likely within a class like `WooSEA_Admin` or the main plugin file).\n   - Hook: `add_action( 'wp_ajax_woosea_delete_feed', array( $this, 'woosea_delete_feed' ) );`\n2. **Missing Check**: The callback function `woosea_delete_feed()` retrieves the `feed_id` from the `$_POST` superglobal.\n3. **Privilege Check**: The function checks `current_user_can( 'manage_options' )`, which passes because the request is forged using the administrator's browser session.\n4. **Missing Nonce**: The function proceeds to delete the feed from the custom database table `{$wpdb->prefix}woosea_feeds` without verifying a cryptographic nonce.\n5. **Execution**: The database record is removed, and the administrator is unaware of the action unless they check the \"Manage Feeds\" page.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is characterized by **missing** nonce validation. Therefore, a valid nonce is **not required** to successfully perform the CSRF attack.\n\nHowever, to confirm if a nonce *should* have been used, we can inspect the `manage-feeds` JS application:\n1. **Shortcode\u002FPage**: The \"Manage Feeds\" page is located at `\u002Fwp-admin\u002Fadmin.php?page=woosea_manage_feed`.\n2. **Inspection**: Use `browser_navigate` to this page.\n3. **JS Variable**: Check for a localized script object (e.g., `woosea_ajax`) using `browser_eval(\"window.woosea_ajax\")`.\n4. **Observation**: Even if a nonce (e.g., `woosea_ajax.nonce`) is present in the JS environment, the server-side handler for `woosea_delete_feed` fails to verify the `security` or `_wpnonce` parameter in the `POST` request.\n\n## 5. Exploitation Strategy\nThe goal is to delete a product feed via a forged POST request.\n\n### Step-by-Step Plan:\n1. **Identify Session**: Capture the administrator's cookies (simulating a logged-in state).\n2. **Prepare Target**: Ensure a feed with `id=1` exists in the `wp_woosea_feeds` table.\n3. **Craft Request**: Send a `POST` request to `admin-ajax.php` with the minimum required parameters.\n4. **Trigger**: Use the `http_request` tool to simulate the forged request.\n\n### Forged Request Payload:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: \n  - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**: \n  - `action=woosea_delete_feed`\n  - `feed_id=1`\n\n## 6. Test Data Setup\nBefore exploitation, we must ensure the custom table exists and contains a feed to delete.\n\n**WP-CLI Setup:**\n```bash\n# Ensure the table exists and insert a dummy feed\nwp db query \"INSERT INTO wp_woosea_feeds (feed_name, cron, feed_status) VALUES ('Exploit Test Feed', 'daily', 'on');\"\n\n# Verify the feed ID (likely 1 if the table was empty)\nwp db query \"SELECT id, feed_name FROM wp_woosea_feeds;\"\n```\n\n## 7. Expected Results\n- **HTTP Response**: The server should return a successful JSON response or a `1` (typical for successful WP AJAX handlers), even though no nonce was provided.\n- **Side Effect**: The record in the `wp_woosea_feeds` table for the specified `feed_id` will be deleted.\n\n## 8. Verification Steps\nAfter the `http_request` is sent, verify the deletion via WP-CLI:\n```bash\n# Check if the feed still exists\nwp db query \"SELECT count(*) FROM wp_woosea_feeds WHERE id=1;\"\n```\nIf the count is `0`, the CSRF attack was successful.\n\n## 9. Alternative Approaches\nIf `woosea_delete_feed` is protected in a specific sub-version, target other AJAX management actions that likely share the same vulnerable pattern:\n- **Action**: `woosea_change_status`\n  - **Body**: `action=woosea_change_status&feed_id=1&status=off` (Disables the feed).\n- **Action**: `woosea_clear_stats`\n  - **Body**: `action=woosea_clear_stats` (Clears all feed click\u002Fperformance statistics).\n- **Action**: `woosea_save_settings`\n  - **Body**: `action=woosea_save_settings&form=...` (Serialized form data to change plugin-wide settings).","The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.5.2. This is due to missing nonce validation on several AJAX handlers, such as 'woosea_delete_feed' and 'adt_pfp_update_settings'. This allows unauthenticated attackers to delete product feeds or modify critical plugin settings by tricking a logged-in administrator into clicking a malicious link.","\u002F\u002F Inferred from Research Plan and Changelog. AJAX handlers lack check_ajax_referer validation.\n\u002F\u002F Action registration usually found in admin initialization logic\nadd_action( 'wp_ajax_woosea_delete_feed', array( $this, 'woosea_delete_feed' ) );\n\npublic function woosea_delete_feed() {\n    \u002F\u002F Privilege check passes during CSRF because the admin's session is used\n    if ( current_user_can( 'manage_options' ) ) {\n        $feed_id = $_POST['feed_id'];\n        \u002F\u002F Missing: check_ajax_referer( 'woosea_ajax_nonce', 'security' );\n        \n        global $wpdb;\n        $wpdb->delete( \"{$wpdb->prefix}woosea_feeds\", array( 'id' => $feed_id ) );\n    }\n}\n\n---\n\n\u002F\u002F Handler for adt_pfp_update_settings (mentioned in 13.5.2.1 changelog)\npublic function adt_pfp_update_settings() {\n    if ( current_user_can( 'manage_options' ) ) {\n        \u002F\u002F Missing: check_ajax_referer( 'woosea_ajax_nonce', 'security' );\n        $settings = $_POST['settings'];\n        update_option( 'adt_pfp_settings', $settings );\n    }\n}","--- a\u002Fclasses\u002Fclass-admin.php\n+++ b\u002Fclasses\u002Fclass-admin.php\n@@ -102,6 +102,8 @@\n \n     public function woosea_delete_feed() {\n+        check_ajax_referer( 'woosea_ajax_nonce', 'security' );\n+\n         if ( current_user_can( 'manage_options' ) ) {\n             $feed_id = $_POST['feed_id'];\n             $wpdb->delete( \"{$wpdb->prefix}woosea_feeds\", array( 'id' => $feed_id ) );\n         }\n     }\n\n@@ -150,6 +152,8 @@\n \n     public function adt_pfp_update_settings() {\n+        check_ajax_referer( 'woosea_ajax_nonce', 'security' );\n+\n         if ( current_user_can( 'manage_options' ) ) {\n             \u002F\u002F Updated settings logic\n         }\n     }","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using a forged POST request. An attacker tricks an authenticated administrator into visiting a malicious website that hosts a background script (e.g., using XMLHttpRequest or a hidden form). The request includes the 'action=woosea_delete_feed' parameter and a 'feed_id' corresponding to an existing product feed. Since the server-side handler performs no nonce verification, the browser automatically includes the administrator's session cookies, allowing the request to pass authorization checks and delete the specified feed. A similar methodology applies to the 'adt_pfp_update_settings' action, which allows modifying plugin configurations without a valid security token.","gemini-3-flash-preview","2026-04-18 06:08:59","2026-04-18 06:10:20",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","13.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags\u002F13.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-feed-pro.13.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags\u002F13.5.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-feed-pro.13.5.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-feed-pro\u002Ftags"]