Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in Josh Kohlbach's Product Feed PRO for WooCommerce plugin affecting versions up to 13.5.2, allowing unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators through malicious web requests. While the CVSS score is 6.5 (Medium), the EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation probability, suggesting this is a low-priority vulnerability despite the integrity impact. No KEV status or active exploitation evidence is documented.
Technical ContextAI
This CSRF vulnerability (CWE-352) resides in the Josh Kohlbach Product Feed PRO for WooCommerce WordPress plugin (CPE: cpe:2.3:a:josh_kohlbach:product_feed_pro_for_woocommerce:*:*:*:*:*:*:*:*). The plugin handles WooCommerce product feed generation and management. The root cause is insufficient CSRF token validation in the plugin's admin actions, allowing attackers to craft malicious requests that execute administrative functions (such as feed configuration changes, deletion, or export operations) without proper nonce verification. WordPress plugins are particularly susceptible to CSRF when they expose administrative AJAX endpoints or form handlers without adequate wp_nonce validation.
RemediationAI
vendor_patch: Upgrade Product Feed PRO for WooCommerce to version > 13.5.2 (specific patched version not explicitly stated in references; contact vendor or check plugin repository); priority: medium detection: Monitor WordPress admin logs for unusual feed configuration changes, deletions, or exports originating from unauthenticated sessions or unexpected origins workaround: Implement Content Security Policy (CSP) headers with frame-ancestors 'none' to prevent embedded malicious pages from initiating CSRF requests mitigation: Restrict admin access to known IP ranges; use WordPress security plugins (Wordfence, Sucuri) to monitor and block CSRF-like activity patterns
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11987