The Cross‑Site Request Forgery flaw in Dotstore Extra Fees Plugin for WooCommerce allows a remote attacker to force a logged‑in user to send arbitrary HTTP requests that change fee settings for product checkout. By exploiting the missing CSRF token or nonce validation, an attacker could add, modify or remove extra charges from the cart, which can lead to incorrect pricing, loss of revenue or a negative customer experience. This issue does not provide direct code execution but can undermine the integrity of the checkout flow.

Any WordPress site running Dotstore Extra Fees Plugin for WooCommerce with a version up to and including 4.3.3 is affected. The vulnerability is present in all releases from the first available version up to 4.3.3, so any installation that has not been upgraded past that point is at risk.

No CVSS or EPSS scores are available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires a victim who is authenticated to the site and has permission to modify fee settings. Because the exploit hinges on user interaction with a malicious link or form, the likelihood of successful exploitation is moderate but could be higher in environments where administrators frequently log in from untrusted networks or devices. Until a patch is applied, the vulnerability poses a tangible risk to price integrity and revenue.