WordPress PW WooCommerce Bulk Edit plugin versions up to 2.134 are vulnerable to a Cross‑Site Request Forgery flaw that allows an attacker to trigger bulk edit functions without the victim’s consent. The likely attack vector is a malicious page that forces the victim’s browser to send a POST request to the plugin’s endpoint while the victim is authenticated. An attacker could use this to modify product prices, inventory, or other shop data, potentially causing financial loss or service disruption. The CVSS score of 5.4 indicates a moderate severity vulnerability that can lead to unauthorized changes.

The affected product is PW WooCommerce Bulk Edit by pimwick. All installations of the plugin from its initial release through version 2.134 are susceptible. Administrators or users with sufficient permissions who have the plugin active are at risk if they visit a malicious site during an authenticated session.

The EPSS score is less than 1%, suggesting a low probability of exploitation in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported. However, the nature of the flaw means that any administrator who visits a compromised or malicious site could inadvertently submit a bulk edit request, resulting in unauthorized changes. The risk remains moderate because while exploitation requires a true CSRF scenario, the impact on shop operations can be significant if successful.