CVE Catalog

CVE-2026-8904

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

The FastPicker plugin, an order management system for WooCommerce, is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.2. The issue arises from missing or incorrect nonce validation in the settingsPage function, allowing unauthenticated attackers to modify plugin settings.

Risk Assessment

An attacker can trick an administrator into performing actions, enabling changes to plugin settings, including webhook integration and API URLs. This poses a risk of unauthorized access to critical plugin functionalities.

Recommendation

It is recommended to update the FastPicker plugin to the latest version to mitigate this vulnerability. Additionally, implementing extra security measures, such as nonce verification in custom functions, is advisable.

Original NVD description (English source)

The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS