Description
Cross-Site Request Forgery (CSRF) vulnerability in N-Media Bulk Product Sync sync-wc-google allows Cross Site Request Forgery.This issue affects Bulk Product Sync: from n/a through <= 8.6.
Published: 2025-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to trick an authenticated user into performing unintended actions through the Bulk Product Sync plugin. The impact can be unauthorized product synchronization or other data manipulation, potentially compromising the integrity of a WordPress site. The CVSS score of 4.3 indicates a moderate severity, and the weakness is identified as CWE‑352.

Affected Systems

The N‑Media Bulk Product Sync plugin, any installation of version 8.6 or earlier, is affected.

Risk and Exploitability

The exploit requires a user with privileges to be tricked into visiting a malicious URL that submits a request to the plugin’s sync endpoint. The EPSS score of <1% indicates a low probability of active exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to convince a human user to perform the request, and the lack of a broader automated vector limits immediate threat but does not eliminate risk.

Generated by OpenCVE AI on May 1, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bulk Product Sync plugin to the latest version (>8.6).
  • If an upgrade is not immediately possible, disable the bulk sync feature or restrict it to administrator accounts only.
  • Employ web application firewall rules or security plugins that block or challenge cross‑site requests without valid anti‑CSRF tokens.

Generated by OpenCVE AI on May 1, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9194 Cross-Site Request Forgery (CSRF) vulnerability in N-Media Bulk Product Sync allows Cross Site Request Forgery. This issue affects Bulk Product Sync: from n/a through 8.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in N-Media Bulk Product Sync allows Cross Site Request Forgery. This issue affects Bulk Product Sync: from n/a through 8.6. Cross-Site Request Forgery (CSRF) vulnerability in N-Media Bulk Product Sync sync-wc-google allows Cross Site Request Forgery.This issue affects Bulk Product Sync: from n/a through <= 8.6.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in N-Media Bulk Product Sync allows Cross Site Request Forgery. This issue affects Bulk Product Sync: from n/a through 8.6.
Title WordPress Bulk Product Sync plugin <= 8.6 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.262Z

Reserved: 2025-04-01T13:21:00.364Z

Link: CVE-2025-31852

cve-icon Vulnrichment

Updated: 2025-04-01T15:43:50.803Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:26.467

Modified: 2026-04-23T15:28:25.220

Link: CVE-2025-31852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:00:06Z

Weaknesses