Description
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted modification of WooCommerce product data via CSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing nonce validation in a WordPress plugin that enables Cross‑Site Request Forgery. An unauthenticated attacker can submit a forged request that causes the site’s administrator or shop manager to update product information, including prices, descriptions, and other fields. This compromise of data integrity can lead to financial loss and damage to product listings.

Affected Systems

This flaw affects the realmag777 "BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net" plugin for WordPress. All releases up to and including version 1.1.5 are impacted. The plug‑in is typically deployed on WooCommerce‑enabled sites running WordPress.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Exploitation relies on a typical CSRF vector: the attacker must lure an authorized user to click a malicious link or submit a forged form. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the availability of an unauthenticated attack path and the ability to alter product data make this risk meaningful for e‑commerce operators.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (v1.1.6 or later) from the official Pluginus.Net source.
  • If an update cannot be applied immediately, disable the BEAR – Bulk Editor plugin until a patch is available.
  • Restrict access to the WordPress admin interface to trusted users and enforce strong password policies.
  • Enable two‑factor authentication for site administrators and shop managers to mitigate risk of click‑jacking or accidental exploitation.
  • Monitor product listings for unexpected changes and review server logs for suspicious POST requests to the woobe_redraw_table_row endpoint.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 bear – Bulk Editor And Products Manager Professional For Woocommerce By Pluginus.net
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 bear – Bulk Editor And Products Manager Professional For Woocommerce By Pluginus.net
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
Title BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Realmag777 Bear – Bulk Editor And Products Manager Professional For Woocommerce By Pluginus.net
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:41.014Z

Reserved: 2026-01-30T01:19:20.746Z

Link: CVE-2026-1672

cve-icon Vulnrichment

Updated: 2026-04-08T14:47:20.789Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T12:16:19.277

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-1672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:47Z

Weaknesses