The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin contains a Cross‑Site Request Forgery (CSRF) flaw caused by missing nonce validation in the woobe_delete_tax_term() function. As a result, an unauthenticated attacker can delete WooCommerce taxonomy terms—such as categories, tags, and other taxonomies—when an administrator or shop manager follows a forged request. The description does not mention any privilege escalation or data exfiltration; therefore, based on the information given, it is inferred that the vulnerability does not enable attackers to obtain broader authentication or retrieve sensitive data. The primary impact is on the integrity and availability of the site’s product classification data.

The vulnerability affects all installations of the BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin up to and including version 1.1.5. Users who are running WordPress sites with WooCommerce and who rely on this plugin for taxonomy management are at risk. The issue is limited to functionality that allows taxonomy deletion and does not impact other plugin features or core WordPress components.

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying that exploitation may not yet be widespread. The likely attack vector involves social engineering, where an attacker sends a malicious link or prompt to a site administrator or shop manager, causing them to execute the forged request while authenticated. Because the flaw only permits deletion of taxonomy terms and does not grant further administrative privileges, the overall risk is constrained to the taxonomy data set rather than full site control.