Description
The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FastPicker plugin for WordPress suffers from a CSRF flaw due to missing or incorrect nonce validation in its settingsPage function. An attacker who tricks an administrator into visiting a crafted URL can alter the plugin’s configuration, toggling webhook integration and redefining FastPicker and KDZ API endpoints. This compromise can redirect traffic, change API calls, or enable further compromise of the WooCommerce store.

Affected Systems

vulnerable versions of the FastPicker plugin—any release up to and including 1.0.2—can be installed on WordPress sites running WooCommerce. The flaw exposes the plugin’s settings pages to unauthorized changes, affecting sites that use this order picker and order management system.

Risk and Exploitability

With a CVSS score of 4.3 the flaw presents a moderate risk. No EPSS data is available and the vulnerability is not in CISA’s KEV catalog. If the site administrator is logged in when visiting a malicious link, the attacker can exploit the flaw; the required conditions include an authenticated admin session and the ability to embed a forged request in a link or email. The attack vector is inferred from the description, which indicates the need for an admin to click a link that delivers the CSRF payload.

Generated by OpenCVE AI on June 9, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FastPicker to a version newer than 1.0.2
  • Ensure that all plugin forms include valid WordPress nonce fields and test that changing settings requires a logged‑in admin session
  • If an update is not yet available, temporarily disable the plugin or remove its settings page until a patch is released

Generated by OpenCVE AI on June 9, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yuluma
Yuluma fastpicker, An Order Picker And Order Management System (oms) For Woocommerce On Steroids
Vendors & Products Wordpress
Wordpress wordpress
Yuluma
Yuluma fastpicker, An Order Picker And Order Management System (oms) For Woocommerce On Steroids

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title FastPicker, an order picker and order management system (oms) for WooCommerce on steroids <= 1.0.2 - Cross-Site Request Forgery via Settings Save
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yuluma Fastpicker, An Order Picker And Order Management System (oms) For Woocommerce On Steroids
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T19:07:16.667Z

Reserved: 2026-05-18T21:19:04.590Z

Link: CVE-2026-8904

cve-icon Vulnrichment

Updated: 2026-06-09T19:07:10.712Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:40.280

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:57Z

Weaknesses