Description
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Published: 2026-04-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The CVE describes a Cross‑Site Request Forgery (CSRF) vulnerability in the Dotstore Extra Fees Plugin for WooCommerce. The flaw allows an attacker to send a forged request that the plugin processes as if it originated from a legitimate authenticated user, enabling unauthorized actions under the user’s context.

Affected Systems

Any WordPress site that runs the Dotstore Extra Fees Plugin for WooCommerce up through version 4.3.3 is affected. No other vendors or product versions are listed as impacted. Sites using later versions are not known to have this issue.

Risk and Exploitability

The CVSS score of 7.1 reflects a high severity, while the EPSS score of under 1% indicates low exploit probability. The flaw is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed. Based on the description, it is inferred that the attacker must target an authenticated user's session, and the likely attack vector is a crafted request sent from a malicious site to a victim site where the user is logged in.

Generated by OpenCVE AI on April 13, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the Dotstore Extra Fees Plugin for WooCommerce that removes the CSRF flaw; verify release notes for remediation.
  • If no update is available immediately, disable or uninstall the plugin to eliminate the vulnerability.
  • Ensure the WordPress core and all other plugins are kept up to date, reducing the overall attack surface.
  • As a temporary measure, implement site‑wide CSRF protection, such as WP nonce checks on forms that alter plugin behavior.

Generated by OpenCVE AI on April 13, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Dotstore
Dotstore extra Fees Plugin For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Dotstore
Dotstore extra Fees Plugin For Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Title WordPress Extra Fees Plugin for WooCommerce plugin <= 4.3.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Dotstore Extra Fees Plugin For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.764Z

Reserved: 2026-04-07T10:57:59.671Z

Link: CVE-2026-39671

cve-icon Vulnrichment

Updated: 2026-04-13T20:12:18.786Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:38.553

Modified: 2026-04-29T10:17:38.417

Link: CVE-2026-39671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:41Z

Weaknesses