CVE-2026-8904
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
The FastPicker plugin, an order management system for WooCommerce, is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.2. The issue arises from missing or incorrect nonce validation in the settingsPage function, allowing unauthenticated attackers to modify plugin settings.
Risk Assessment
An attacker can trick an administrator into performing actions, enabling changes to plugin settings, including webhook integration and API URLs. This poses a risk of unauthorized access to critical plugin functionalities.
Recommendation
It is recommended to update the FastPicker plugin to the latest version to mitigate this vulnerability. Additionally, implementing extra security measures, such as nonce verification in custom functions, is advisable.
Original NVD description (English source)
The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

