Medium severity6.5NVD Advisory· Published Apr 8, 2026· Updated Apr 24, 2026

CVE-2026-1672

Description

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.

Affected products

WordPress/Woo Bulk Editorinferred
Range: <=1.1.5
Package: https://wordpress.org/plugins/woo-bulk-editor
Pluginus/Bear Woocommerce Bulk Editor And Products Manager Professionalllm-fuzzy
Range: <=1.1.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)
Wordfence Blog · May 14, 2026
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)
Wordfence Blog · Apr 16, 2026

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000