Skip to main content

Bear Bulk Editor And Products Manager Professional For Woocommerce By Pluginus Net EUVDEUVD-2026-20439

| CVE-2026-1672 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 Wordfence GHSA-fx2j-23gp-92rg
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 11:46 euvd
EUVD-2026-20439
Analysis Generated
Apr 08, 2026 - 11:46 vuln.today
CVE Published
Apr 08, 2026 - 11:16 nvd
MEDIUM 6.5

DescriptionCVE.org

The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.

Technical ContextAI

This vulnerability is a classic Cross-Site Request Forgery (CWE-352) affecting a WordPress plugin that extends WooCommerce functionality. The woobe_redraw_table_row() function processes product data updates without implementing WordPress nonce validation, which is the standard CSRF protection mechanism in the WordPress ecosystem. WordPress nonces are cryptographic tokens tied to the current user session and action context; their absence allows an attacker to forge requests on behalf of a victim. The vulnerability requires user interaction (UI:R in CVSS) because the victim (typically an administrator or shop manager with elevated privileges) must be socially engineered into visiting an attacker-controlled page or clicking a malicious link. The CPE identifies this as plugin version 1.1.5 and earlier from the vendor realmag777, distributed through the WordPress plugin repository.

RemediationAI

Update the BEAR - Bulk Editor and Products Manager Professional for WooCommerce plugin to a patched version released after 1.1.5. WordPress plugin repository changesets at https://plugins.trac.wordpress.org/changeset/3457263/ and https://plugins.trac.wordpress.org/changeset/3465138/ indicate patch commits; administrators should update through the WordPress plugin dashboard to the latest available version. If an update is not yet available in the WordPress repository, verify the plugin version against the official plugin page and check for security advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve. As a temporary mitigation, restrict access to WooCommerce product management pages to trusted networks or implement Web Application Firewall (WAF) rules to block suspicious CSRF patterns; however, patching is the primary remediation.

Share

EUVD-2026-20439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy