Description
Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce product-configurator-for-woocommerce allows Cross Site Request Forgery.This issue affects Product Configurator for WooCommerce: from n/a through <= 1.4.4.
Published: 2025-08-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the Product Configurator for WooCommerce plugin that allows an attacker to submit forged requests to the server without proper token validation or nonce checks. By exploiting this issue, a malicious web page could cause a logged‑in user to perform privileged configuration changes or other unintended actions, thereby compromising the integrity of the store and potentially exposing sensitive data.

Affected Systems

The affected vendor is mklacroix and the product is Product Configurator for WooCommerce. All versions from the initial release through 1.4.4 are impacted. Any WordPress site that has installed the plugin and has not applied the latest fix is at risk.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity while the EPSS score of less than 1% shows a very low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. Based on the nature of CSRF, the likely attack vector is a browser‑based scenario in which an authenticated user visits a malicious page that triggers the forged request. This would allow an attacker to manipulate the plugin’s settings or perform unauthorized actions as that user.

Generated by OpenCVE AI on April 30, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch for Product Configurator for WooCommerce, upgrading to a patched version.
  • If an immediate update is not possible, temporarily disable or delete the Product Configurator for WooCommerce plugin until a patched version is released.
  • Ensure that your WordPress installation enforces CSRF tokens on all admin operations, and consider implementing site‑wide CSRF protection if not already in place.

Generated by OpenCVE AI on April 30, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24719 Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce allows Cross Site Request Forgery. This issue affects Product Configurator for WooCommerce: from n/a through 1.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce allows Cross Site Request Forgery. This issue affects Product Configurator for WooCommerce: from n/a through 1.4.4. Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce product-configurator-for-woocommerce allows Cross Site Request Forgery.This issue affects Product Configurator for WooCommerce: from n/a through <= 1.4.4.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Product Configurator For Woocommerce Project
Product Configurator For Woocommerce Project product Configurator For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Product Configurator For Woocommerce Project
Product Configurator For Woocommerce Project product Configurator For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce allows Cross Site Request Forgery. This issue affects Product Configurator for WooCommerce: from n/a through 1.4.4.
Title WordPress Product Configurator for WooCommerce Plugin plugin <= 1.4.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Product Configurator For Woocommerce Project Product Configurator For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.257Z

Reserved: 2025-07-28T10:55:38.572Z

Link: CVE-2025-54674

cve-icon Vulnrichment

Updated: 2025-08-14T14:17:36.416Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:46.027

Modified: 2026-04-23T15:32:48.013

Link: CVE-2025-54674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses