The vulnerability stems from missing or incorrect nonce verification on several AJAX endpoints in the Product Feed PRO for WooCommerce plugin. This flaw permits an unauthenticated user to forge requests that trigger a range of administrative actions, including migrating feeds, clearing custom-attribute caches, rewriting feed file URLs to lowercase, toggling legacy filter and rule settings, and deleting duplicate feed posts. The resulting impact is the potential alteration or disruption of product feed data, misuse of administrative controls, and possibly broader site destabilization.

WordPress sites running the Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce, specifically versions 13.4.6 through 13.5.2.1. No other products or vendors are directly implicated.

With a CVSS score of 8.8, the flaw is classified as high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The most likely attack vector is an unauthenticated attacker sending a forged request that tricks a site administrator into clicking a malicious link, thereby triggering the vulnerable AJAX calls. Given the exposure of sensitive administrative actions and the high CVSS rating, the risk of exploitation in affected environments is significant, especially where users are susceptible to phishing or social engineering.