{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/woocommerce/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-2554"}],"_cs_exploited":false,"_cs_products":["WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin \u003c= 6.7.25"],"_cs_severities":["high"],"_cs_tags":["idor","wordpress","woocommerce","account-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Vendor-level access or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003ecustomerid\u003c/code\u003e parameter in the request, setting its value to the ID of the target user account they wish to delete.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter, the application directly uses the provided ID to locate the user account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function proceeds to delete the user account identified by the attacker-supplied \u003ccode\u003ecustomerid\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe targeted user account is successfully deleted from the WordPress instance.\u003c/li\u003e\n\u003cli\u003eIf the deleted user account was an administrator, the attacker can effectively take control of the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e with unusual \u003ccode\u003ecustomerid\u003c/code\u003e values, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003ecustomerid\u003c/code\u003e parameter within the \u003ccode\u003ewcfm_delete_wcfm_customer\u003c/code\u003e function to prevent arbitrary user deletion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T14:16:17Z","date_published":"2026-05-02T14:16:17Z","id":"/briefs/2026-05-wordpress-wcfm-idor/","summary":"The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.","title":"WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3396"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["woocommerce","sqli","cve-2026-3396","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the \u003ccode\u003epost-author\u003c/code\u003e parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the \u003ccode\u003epost-author\u003c/code\u003e parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WooCommerce website using a vulnerable version (\u0026lt;=4.2.3) of the WCAPF plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u003ccode\u003epost-author\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payload within the \u003ccode\u003epost-author\u003c/code\u003e parameter, designed to extract data using time-based techniques. For example, the attacker might use a \u003ccode\u003eSLEEP()\u003c/code\u003e function to introduce delays based on conditional database queries.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and passes the unsanitized \u003ccode\u003epost-author\u003c/code\u003e parameter to the database query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code manipulates the original query, causing the database to execute the attacker\u0026rsquo;s malicious commands.\u003c/li\u003e\n\u003cli\u003eBased on the response time (due to the \u003ccode\u003eSLEEP()\u003c/code\u003e function), the attacker infers whether their injected SQL query was successful in retrieving specific data.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website\u0026rsquo;s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WooCommerce SQL Injection Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs (references: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003epost-author\u003c/code\u003e parameter to prevent SQL injection attacks (references: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:16:21Z","date_published":"2026-04-08T12:16:21Z","id":"/briefs/2026-04-woocommerce-sqli/","summary":"The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.","title":"WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3499"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","woocommerce","csrf","cve-2026-3499"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin, a WordPress plugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. Present in versions 13.4.6 through 13.5.2.1, this flaw allows unauthenticated attackers to execute administrative functions if they can successfully coerce a site administrator into performing an action, such as clicking a specially crafted link. The vulnerability stems from the plugin\u0026rsquo;s failure to implement proper nonce validation on several AJAX actions, including \u003ccode\u003eajax_migrate_to_custom_post_type\u003c/code\u003e, \u003ccode\u003eajax_adt_clear_custom_attributes_product_meta_keys\u003c/code\u003e, \u003ccode\u003eajax_update_file_url_to_lower_case\u003c/code\u003e, \u003ccode\u003eajax_use_legacy_filters_and_rules\u003c/code\u003e, and \u003ccode\u003eajax_fix_duplicate_feed\u003c/code\u003e. This vulnerability poses a significant risk to WooCommerce store owners using the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing a request to one of the vulnerable AJAX actions (e.g., \u003ccode\u003eajax_migrate_to_custom_post_type\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL via email, social media, or another channel, attempting to trick a WordPress administrator into clicking the link.\u003c/li\u003e\n\u003cli\u003eThe administrator, while authenticated to the WordPress admin panel, clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe administrator\u0026rsquo;s browser sends the forged request to the WordPress server, including the administrator\u0026rsquo;s session cookies.\u003c/li\u003e\n\u003cli\u003eDue to the missing or incorrect nonce validation, the WordPress server processes the request as if it were a legitimate action performed by the administrator.\u003c/li\u003e\n\u003cli\u003eDepending on the specific AJAX action targeted, the attacker can trigger feed migration, clear custom attribute caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, or delete duplicate feed posts.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to perform other administrative actions, gaining control over the plugin\u0026rsquo;s settings and data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially manipulates product feeds to inject malicious content, redirect users, or compromise the WooCommerce store\u0026rsquo;s SEO.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability (CVE-2026-3499) could allow an attacker to manipulate a WooCommerce store\u0026rsquo;s product feeds, potentially leading to data corruption, SEO poisoning, or the injection of malicious content. If successful, attackers could modify product information, redirect users to phishing sites, or damage the store\u0026rsquo;s reputation. The severity of the impact depends on the targeted AJAX action, but the potential for unauthorized administrative control is significant. Given the wide usage of WooCommerce and the Product Feed PRO plugin, a large number of online stores are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Product Feed PRO for WooCommerce plugin to a patched version greater than 13.5.2.1 to remediate CVE-2026-3499.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints originating from suspicious referrers.\u003c/li\u003e\n\u003cli\u003eEducate WordPress administrators on the risks of CSRF attacks and the importance of verifying links before clicking them.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-woocommerce-csrf/","summary":"The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.","title":"Product Feed PRO for WooCommerce Plugin CSRF Vulnerability (CVE-2026-3499)","url":"https://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","woocommerce","reviewx","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe ReviewX – WooCommerce Product Reviews plugin for WordPress, a tool designed to enhance product reviews, contains a critical vulnerability. Identified as CVE-2025-10679, this flaw stems from insufficient input validation within the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function. Exploitation allows unauthenticated attackers to invoke arbitrary PHP class methods that either require no input or can utilize default values. This vulnerability affects ReviewX plugin versions up to and including 2.2.12. Successful exploitation can lead to sensitive information disclosure or, under certain server configurations and available methods, remote code execution. This poses a significant risk to e-commerce sites utilizing the vulnerable plugin, potentially impacting customer data and overall site integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the WordPress server targeting the vulnerable \u003ccode\u003ebulkTenReviews\u003c/code\u003e function in the ReviewX plugin.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes malicious input designed to bypass the insufficient input validation within the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebulkTenReviews\u003c/code\u003e function processes the attacker-controlled data without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed to a variable function call mechanism, allowing the attacker to specify an arbitrary PHP class method.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to call a PHP class method that requires no inputs or has default values.\u003c/li\u003e\n\u003cli\u003eDepending on the available methods and server configuration, the attacker may be able to trigger sensitive information disclosure.\u003c/li\u003e\n\u003cli\u003eIn more critical scenarios, the attacker might be able to call methods that allow writing to the file system or executing arbitrary commands, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the WordPress server, enabling them to install malware, steal data, or deface the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-10679 can lead to a range of damaging consequences. Sensitive information, such as customer data and administrative credentials, may be exposed. In the worst-case scenario, attackers can achieve remote code execution, granting them complete control over the affected WordPress server. This can result in website defacement, data theft, malware installation, and denial-of-service attacks. Given the wide usage of WooCommerce and ReviewX, a successful widespread attack could impact numerous e-commerce businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the ReviewX plugin to the latest version (greater than 2.2.12) to patch CVE-2025-10679.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ReviewX Arbitrary Method Calls\u003c/code\u003e to detect exploitation attempts targeting the \u003ccode\u003ebulkTenReviews\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress plugins with unusual parameters, as highlighted in the Sigma rule \u003ccode\u003eDetect ReviewX Arbitrary Method Calls\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview PHP configurations to harden against potential RCE attempts stemming from arbitrary method calls.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-reviewx-rce/","summary":"The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.","title":"ReviewX WordPress Plugin Arbitrary Method Call Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-reviewx-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Woocommerce","version":"https://jsonfeed.org/version/1.1"}