Cyber Posture

CVE-2026-39671

High

Published: 08 April 2026

Published
08 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0002 4.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39671 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 requires mechanisms to protect communications session authenticity, directly mitigating CSRF by validating that requests originate from legitimate user sessions via tokens or origin checks.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of all information inputs, including anti-CSRF tokens and HTTP headers like Referer or Origin, to block forged requests exploiting the vulnerability.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this CSRF vulnerability in the WooCommerce plugin, preventing exploitation through patching.

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
Why these techniques?

CSRF requires user interaction to trigger malicious requests, typically via a crafted link or page that submits actions on behalf of the authenticated victim.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.

Deeper analysisAI

CVE-2026-39671 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Dotstore Extra Fees Plugin for WooCommerce, specifically the woo-conditional-product-fees-for-checkout plugin. This issue affects all versions from n/a through 4.3.3. The vulnerability was published on 2026-04-08T09:16:38.553 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability enables exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and results in a scope change (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Any remote attacker can craft malicious requests to trick authenticated users into performing unintended actions via CSRF, such as modifying checkout fees or related configurations on behalf of the victim.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-conditional-product-fees-for-checkout/vulnerability/wordpress-extra-fees-plugin-for-woocommerce-plugin-4-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. Security practitioners should review this reference for patch information and recommended actions.

Details

CWE(s)
CWE-352

CVEs Like This One

CVE-2025-28867Shared CWE-352
CVE-2026-41347Shared CWE-352
CVE-2024-57373Shared CWE-352
CVE-2025-28856Shared CWE-352
CVE-2025-25769Shared CWE-352
CVE-2025-26550Shared CWE-352
CVE-2025-23661Shared CWE-352
CVE-2025-25088Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2025-15405Shared CWE-352

References