CVE-2026-3499 HIGH

CVE-2026-3499: Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions

Vendor Jkohlbach

Product Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce

Weakness CWE-352 · CSRF

Published April 8, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

Description

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Key dates

Disclosure timeline

April 8, 2026 CVE published

April 8, 2026 Record updated

Identifiers

CVE CVE-2026-3499

CWE CWE-352

CVSS 8.8 / HIGH

Affected versions

Vendor Jkohlbach

Product Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce

Affected ≥ 13.4.6 and ≤ 13.5.2.1