Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
AnalysisAI
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability exists in the edit-weight.php file of the WooCommerce Minimum Weight plugin, a WordPress extension that controls minimum order weight thresholds for WooCommerce stores. WordPress nonces are cryptographic tokens that prevent Cross-Site Request Forgery attacks by validating that state-changing requests originate from legitimate admin sessions. The plugin fails to implement nonce verification on its settings update handler, violating WordPress security best practices outlined in the Plugin Development Handbook. This is classified under CWE-352 (Cross-Site Request Forgery), a well-understood vulnerability class in web applications where attackers exploit the browser's automatic credential-sending behavior to perform unauthorized actions on behalf of authenticated users.
RemediationAI
Update the WooCommerce Minimum Weight plugin to the latest patched version released by the vendor following the Wordfence vulnerability disclosure. Site administrators should navigate to WordPress Dashboard → Plugins and update the plugin immediately. If a patched version is not yet available, temporarily disable the plugin via Dashboard → Plugins → Deactivate until the security update is released, then re-enable it once patched. As a compensating control, restrict access to the WordPress admin dashboard using IP whitelisting or Web Application Firewall rules to limit attacker ability to socially engineer administrators into visiting malicious sites while authenticated. Additionally, educate site administrators about phishing and social engineering attacks, and consider implementing WordPress security plugins that monitor for unauthorized admin setting changes. Note that disabling the plugin entirely removes minimum weight enforcement, which may require alternative shipping rule configuration in WooCommerce settings.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29412
GHSA-x9wm-2xqw-v725