Cross‑Site Request Forgery (CSRF) allows an attacker to craft a request that a victim’s authenticated browser will submit to WordPress, leading to arbitrary updates in the database through the Product Code for WooCommerce plugin. The vulnerability is a direct database update triggered by a forged request, exposing the integrity of product data, and potentially allowing manipulation of listings, pricing or other sensitive settings.

The flaw affects the artiosmedia Product Code for WooCommerce plugin in all versions up to and including 1.5.0. Any WordPress site that has not upgraded beyond 1.5.0 is exposed. The plugin’s code does not implement proper CSRF checks for state‑changing operations such as database updates.

The CVSS score of 4.3 reflects a moderate severity; the EPSS score is below 1%, indicating a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web request originating from a victim’s browser, requiring the victim to be authenticated to an account with sufficient privileges. An attacker can gain destructive impact by inducing the victim to submit a crafted request, thus compromising data integrity.