CVE-2026-3499

Name of the Vulnerable Software and Affected Versions Product Feed PRO for WooCommerce by AdTribes versions 13.4.6 through 13.5.2.1

Description The Product Feed PRO for WooCommerce plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation. Specifically, the ajax migrate to custom post type, ajax adt clear custom attributes product meta keys, ajax update file url to lower case, ajax use legacy filters and rules, and ajax fix duplicate feed functions are affected. Successful exploitation allows unauthenticated attackers to trigger actions like feed migration, clearing caches, rewriting file URLs, toggling settings, and deleting posts by tricking a site administrator into performing an action.

Recommendations For versions 13.4.6 through 13.5.2.1, ensure nonce validation is implemented correctly for the ajax migrate to custom post type, ajax adt clear custom attributes product meta keys, ajax update file url to lower case, ajax use legacy filters and rules, and ajax fix duplicate feed functions.