Description
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
Published: 2026-05-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Woo Commerce Minimum Weight plugin’s settings update handler, where a nonce check is omitted. The resulting CSRF flaw allows an unauthenticated attacker to force a logged‑in site administrator to submit a forged POST request that alters the minimum order weight configuration. This change can affect shipping calculations or order eligibility, potentially disrupting e‑commerce operations. The flaw is classified as a CSRF (CWE‑352) and carries a CVSS score of 4.3, indicating a moderate risk level.

Affected Systems

All installations of the Woo Commerce Minimum Weight plugin for WordPress, version 3.0.1 and earlier, developed by hemant29.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog. The exploit requires only a delivered forged POST request to the settings page; the attacker does not need to compromise the site beforehand. The attack vector is likely a malicious link or page that an administrator unknowingly visits, prompting the automatic form submission. Once the administrator clicks the link, the unverified change is applied with the admin’s privileges.

Generated by OpenCVE AI on May 12, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Woo Commerce Minimum Weight plugin to a version newer than 3.0.1 where nonce verification has been added to the settings update handler.
  • If an immediate update is not feasible, add a CSRF token check to the edit‑weight.php page so that only authenticated requests with a valid nonce are processed.
  • Restrict the settings update URL to administrators only and monitor any unexpected POST activity to detect attempted CSRF attacks.

Generated by OpenCVE AI on May 12, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hemant29
Hemant29 woo Commerce Minimum Weight
Wordpress
Wordpress wordpress
Vendors & Products Hemant29
Hemant29 woo Commerce Minimum Weight
Wordpress
Wordpress wordpress

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
Title Woo Commerce Minimum Weight <= 3.0.1 - Cross-Site Request Forgery via Settings Update Form
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Hemant29 Woo Commerce Minimum Weight
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:46:24.310Z

Reserved: 2026-04-23T18:19:12.344Z

Link: CVE-2026-6932

cve-icon Vulnrichment

Updated: 2026-05-12T12:46:20.650Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:56.770

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:39:30Z

Weaknesses