CVE Catalog

CVE-2026-1672

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile - higher than 7% of all known CVEs

Summary

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function, allowing unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request, provided they trick a site administrator or shop manager into performing an action such as clicking a link.

Risk Assessment

The risk involves unauthorized modification of product data in the WooCommerce store, which can lead to manipulation of prices, descriptions, and other critical information, affecting store integrity and customer trust.

Recommendation

It is recommended to immediately update the BEAR – Bulk Editor and Products Manager Professional plugin to the latest available version that includes a fix for the missing nonce validation. Additionally, consider implementing additional CSRF protection mechanisms such as using tokens in forms.

Original NVD description (English source)

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS