Vulnerability Description
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3476067/woo-product-feed-pro
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b645b88-85e0-4e89-bd9
FAQ
What is CVE-2026-3499?
CVE-2026-3499 is a vulnerability with a CVSS score of 8.8 (HIGH). The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to mi...
How severe is CVE-2026-3499?
CVE-2026-3499 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3499?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.