https://feed.craftedsignal.io/tags/woocommerce/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 14:16:17 +0000https://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/Sat, 02 May 2026 14:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wordpress-wcfm-idor/The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin, a popular WordPress plugin, is affected by an Insecure Direct Object Reference (IDOR) vulnerability. This flaw, present in versions up to and including 6.7.25, stems from a lack of proper validation on the customerid parameter within the wcfm_delete_wcfm_customer function. An attacker with Vendor-level privileges or higher can exploit this vulnerability to delete any user account on the WordPress instance, including those with administrative rights. This can lead to complete compromise of the affected website.

Attack Chain

1. An attacker authenticates to the WordPress site with Vendor-level access or higher.
2. The attacker crafts a malicious HTTP request targeting the wcfm_delete_wcfm_customer function.
3. The attacker includes the customerid parameter in the request, setting its value to the ID of the target user account they wish to delete.
4. Due to the missing validation on the customerid parameter, the application directly uses the provided ID to locate the user account.
5. The wcfm_delete_wcfm_customer function proceeds to delete the user account identified by the attacker-supplied customerid.
6. The targeted user account is successfully deleted from the WordPress instance.
7. If the deleted user account was an administrator, the attacker can effectively take control of the website.

Impact

Successful exploitation of this IDOR vulnerability allows an attacker to delete arbitrary user accounts, including those with administrative privileges. This can lead to a complete compromise of the affected WordPress website. An attacker could then deface the website, steal sensitive data, or use it to launch further attacks. Due to the popularity of the plugin, a large number of WooCommerce stores are potentially affected.

Recommendation

• Apply the latest available patch or upgrade to a version of the WCFM plugin greater than 6.7.25 to remediate CVE-2026-2554.
• Monitor web server logs for suspicious requests to wcfm_delete_wcfm_customer with unusual customerid values, using the Sigma rule provided below.
• Implement input validation on the customerid parameter within the wcfm_delete_wcfm_customer function to prevent arbitrary user deletion.

]]>highadvisoryidorwordpresswoocommerceaccount-deletionhttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/Wed, 08 Apr 2026 12:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-sqli/The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.The WooCommerce Ajax Product Filter (WCAPF) plugin, a WordPress extension, is susceptible to a time-based SQL Injection vulnerability (CVE-2026-3396). This flaw stems from inadequate input sanitization of the post-author parameter and insufficient preparation within the existing SQL query structure. Specifically, all versions of the plugin up to and including version 4.2.3 are affected. An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL code into the post-author parameter. Successful exploitation allows the attacker to manipulate database queries and extract sensitive information without requiring authentication. This vulnerability poses a significant risk to e-commerce sites using the WCAPF plugin, as attackers could potentially access customer data, administrative credentials, or other confidential information.

Attack Chain

1. An unauthenticated attacker identifies a WooCommerce website using a vulnerable version (<=4.2.3) of the WCAPF plugin.
2. The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable post-author parameter.
3. The crafted request includes SQL injection payload within the post-author parameter, designed to extract data using time-based techniques. For example, the attacker might use a SLEEP() function to introduce delays based on conditional database queries.
4. The web server processes the request and passes the unsanitized post-author parameter to the database query.
5. The injected SQL code manipulates the original query, causing the database to execute the attacker’s malicious commands.
6. Based on the response time (due to the SLEEP() function), the attacker infers whether their injected SQL query was successful in retrieving specific data.
7. The attacker iteratively refines their SQL injection payload to extract sensitive information, such as user credentials or customer details.
8. The attacker exfiltrates the obtained data, potentially using it for identity theft, financial fraud, or further attacks against the compromised website.

Impact

Successful exploitation of CVE-2026-3396 can lead to the complete compromise of the vulnerable WooCommerce website’s database. An attacker could potentially access sensitive customer data, including names, addresses, credit card details, and purchase history. Furthermore, administrative credentials could be stolen, allowing the attacker to gain full control over the website. This can result in significant financial losses, reputational damage, and legal liabilities for the affected e-commerce business. While the exact number of affected websites is unknown, any online store using the WCAPF plugin versions 4.2.3 or earlier is potentially at risk.

Recommendation

• Upgrade the WCAPF plugin to a version greater than 4.2.3 to patch CVE-2026-3396 (references: CVE-2026-3396).
• Deploy the Sigma rule Detect WooCommerce SQL Injection Attempt to identify potential exploitation attempts in web server logs (references: Sigma rule).
• Implement input validation and sanitization on the post-author parameter to prevent SQL injection attacks (references: Attack Chain).
• Monitor web server logs for suspicious requests containing SQL injection payloads, particularly those targeting WCAPF plugin endpoints (references: Sigma rule, Attack Chain).

]]>highadvisorywoocommercesqlicve-2026-3396wordpresspluginhttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/Wed, 08 Apr 2026 02:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-woocommerce-csrf/The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin, a WordPress plugin, suffers from a Cross-Site Request Forgery (CSRF) vulnerability. Present in versions 13.4.6 through 13.5.2.1, this flaw allows unauthenticated attackers to execute administrative functions if they can successfully coerce a site administrator into performing an action, such as clicking a specially crafted link. The vulnerability stems from the plugin’s failure to implement proper nonce validation on several AJAX actions, including ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed. This vulnerability poses a significant risk to WooCommerce store owners using the affected plugin.

Attack Chain

1. The attacker crafts a malicious URL containing a request to one of the vulnerable AJAX actions (e.g., ajax_migrate_to_custom_post_type).
2. The attacker distributes the malicious URL via email, social media, or another channel, attempting to trick a WordPress administrator into clicking the link.
3. The administrator, while authenticated to the WordPress admin panel, clicks the malicious link.
4. The administrator’s browser sends the forged request to the WordPress server, including the administrator’s session cookies.
5. Due to the missing or incorrect nonce validation, the WordPress server processes the request as if it were a legitimate action performed by the administrator.
6. Depending on the specific AJAX action targeted, the attacker can trigger feed migration, clear custom attribute caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, or delete duplicate feed posts.
7. The attacker repeats this process to perform other administrative actions, gaining control over the plugin’s settings and data.
8. The attacker potentially manipulates product feeds to inject malicious content, redirect users, or compromise the WooCommerce store’s SEO.

Impact

Successful exploitation of this CSRF vulnerability (CVE-2026-3499) could allow an attacker to manipulate a WooCommerce store’s product feeds, potentially leading to data corruption, SEO poisoning, or the injection of malicious content. If successful, attackers could modify product information, redirect users to phishing sites, or damage the store’s reputation. The severity of the impact depends on the targeted AJAX action, but the potential for unauthorized administrative control is significant. Given the wide usage of WooCommerce and the Product Feed PRO plugin, a large number of online stores are potentially at risk.

Recommendation

• Upgrade the Product Feed PRO for WooCommerce plugin to a patched version greater than 13.5.2.1 to remediate CVE-2026-3499.
• Deploy the provided Sigma rules to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.
• Implement web application firewall (WAF) rules to block requests to the vulnerable AJAX endpoints originating from suspicious referrers.
• Educate WordPress administrators on the risks of CSRF attacks and the importance of verifying links before clicking them.

]]>highadvisorywordpresswoocommercecsrfcve-2026-3499https://feed.craftedsignal.io/briefs/2026-03-reviewx-rce/Tue, 24 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-reviewx-rce/The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.The ReviewX – WooCommerce Product Reviews plugin for WordPress, a tool designed to enhance product reviews, contains a critical vulnerability. Identified as CVE-2025-10679, this flaw stems from insufficient input validation within the bulkTenReviews function. Exploitation allows unauthenticated attackers to invoke arbitrary PHP class methods that either require no input or can utilize default values. This vulnerability affects ReviewX plugin versions up to and including 2.2.12. Successful exploitation can lead to sensitive information disclosure or, under certain server configurations and available methods, remote code execution. This poses a significant risk to e-commerce sites utilizing the vulnerable plugin, potentially impacting customer data and overall site integrity.

Attack Chain

1. The attacker sends a crafted HTTP request to the WordPress server targeting the vulnerable bulkTenReviews function in the ReviewX plugin.
2. The crafted request includes malicious input designed to bypass the insufficient input validation within the bulkTenReviews function.
3. The bulkTenReviews function processes the attacker-controlled data without proper sanitization.
4. The unsanitized input is passed to a variable function call mechanism, allowing the attacker to specify an arbitrary PHP class method.
5. The attacker leverages this vulnerability to call a PHP class method that requires no inputs or has default values.
6. Depending on the available methods and server configuration, the attacker may be able to trigger sensitive information disclosure.
7. In more critical scenarios, the attacker might be able to call methods that allow writing to the file system or executing arbitrary commands, leading to remote code execution.
8. The attacker gains control of the WordPress server, enabling them to install malware, steal data, or deface the website.

Impact

Successful exploitation of CVE-2025-10679 can lead to a range of damaging consequences. Sensitive information, such as customer data and administrative credentials, may be exposed. In the worst-case scenario, attackers can achieve remote code execution, granting them complete control over the affected WordPress server. This can result in website defacement, data theft, malware installation, and denial-of-service attacks. Given the wide usage of WooCommerce and ReviewX, a successful widespread attack could impact numerous e-commerce businesses.

Recommendation

• Immediately update the ReviewX plugin to the latest version (greater than 2.2.12) to patch CVE-2025-10679.
• Deploy the Sigma rule Detect ReviewX Arbitrary Method Calls to detect exploitation attempts targeting the bulkTenReviews function.
• Monitor web server logs for suspicious POST requests to WordPress plugins with unusual parameters, as highlighted in the Sigma rule Detect ReviewX Arbitrary Method Calls.
• Review PHP configurations to harden against potential RCE attempts stemming from arbitrary method calls.

]]>criticaladvisorywordpresswoocommercereviewxrcevulnerability