Cyber Resilience

CVE-2026-3499

High

Published: 08 April 2026

Published
08 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0016 6.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3499 is a high-severity CSRF (CWE-352) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3499 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting the Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress. It impacts versions 13.4.6 through 13.5.2.1 due to missing or incorrect nonce validation on the following AJAX functions: ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed. Published on 2026-04-08, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which submits a forged request to the vulnerable endpoints. Successful exploitation enables attackers to trigger feed migration to custom post types, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts, potentially disrupting site functionality and data integrity.

Patches addressing this issue are available via the WordPress plugin trac changeset 3476067 for woo-product-feed-pro, as well as details in Wordfence threat intelligence at the referenced advisory. Security practitioners should apply these updates promptly to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys,…

more

ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CSRF vuln enables attacker to use malicious link to trick admin (T1204.001) into triggering actions that delete feed posts (T1485) and manipulate stored data like URLs/settings/caches (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41347Shared CWE-352
CVE-2026-39671Shared CWE-352
CVE-2025-28856Shared CWE-352
CVE-2025-28867Shared CWE-352
CVE-2025-25769Shared CWE-352
CVE-2024-57373Shared CWE-352
CVE-2026-31954Shared CWE-352
CVE-2025-55046Shared CWE-352
CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CSRF by enforcing mechanisms to protect the authenticity of communications sessions, such as nonce validation on state-changing AJAX requests.

prevent

Requires validation of information inputs like CSRF nonces on vulnerable AJAX functions to block forged requests from unauthenticated attackers.

prevent

Ensures timely identification, reporting, and correction of the specific flaw in nonce validation via available patches for the affected plugin versions.

References