Product Feed PRO for WooCommerce allows attackers to trick site administrators

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

Product Feed PRO for WooCommerce allows attackers to trick site administrators

CVE-2026-3499

Summary

The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to a type of attack where an attacker tricks an administrator into performing an unintended action. This could lead to unintended changes to the plugin's settings or data. To protect your site, update to the latest version of the plugin.

Original title

Original description

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

nvd CVSS3.1 8.8

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026