CVE-2026-3499
Published: 08 April 2026
Summary
CVE-2026-3499 is a high-severity CSRF (CWE-352) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3499 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting the Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress. It impacts versions 13.4.6 through 13.5.2.1 due to missing or incorrect nonce validation on the following AJAX functions: ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed. Published on 2026-04-08, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which submits a forged request to the vulnerable endpoints. Successful exploitation enables attackers to trigger feed migration to custom post types, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts, potentially disrupting site functionality and data integrity.
Patches addressing this issue are available via the WordPress plugin trac changeset 3476067 for woo-product-feed-pro, as well as details in Wordfence threat intelligence at the referenced advisory. Security practitioners should apply these updates promptly to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20026
Vulnerability details
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys,…
more
ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln enables attacker to use malicious link to trick admin (T1204.001) into triggering actions that delete feed posts (T1485) and manipulate stored data like URLs/settings/caches (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CSRF by enforcing mechanisms to protect the authenticity of communications sessions, such as nonce validation on state-changing AJAX requests.
Requires validation of information inputs like CSRF nonces on vulnerable AJAX functions to block forged requests from unauthenticated attackers.
Ensures timely identification, reporting, and correction of the specific flaw in nonce validation via available patches for the affected plugin versions.