CVE-2026-32443

What is the vulnerability?

The Product Feed PRO for WooCommerce plugin by Josh Kohlbach suffers from a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 13.5.2. This issue arises due to missing or insufficient nonce validation on certain administrative actions, allowing an attacker to trick a logged-in administrator into executing unintended requests [1].

How is it exploited?

Exploitation requires user interaction: an administrator must click a malicious link, visit a crafted page, or submit a form while authenticated. The attacker does not need direct authentication but relies on the victim's session. The vulnerability can be triggered remotely via social engineering or by embedding a crafted link in a comment or email [1].

What is the impact?

A successful CSRF attack can force the administrator to perform actions such as modifying plugin settings, deleting product feeds, or injecting malicious content, potentially leading to further compromise of the WordPress site. The CVSS v3 base score is 6.5 (Medium) [1].

Mitigation

The vulnerability is patched in version 13.5.2.1. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are available [1].