📄 Description (English)
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
🤖 AI Executive Summary
CVE-2026-3499 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting the Product Feed PRO for WooCommerce plugin (versions 13.4.6-13.5.2.1) that allows unauthenticated attackers to manipulate feed configurations, clear caches, and delete feed data by tricking administrators into clicking malicious links. With a CVSS score of 8.8 and no patch currently available, this poses immediate risk to e-commerce operations across Saudi Arabia. The vulnerability requires social engineering but can cause significant operational disruption to WooCommerce-based businesses.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 07:36
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi e-commerce businesses, particularly those in the retail and online sales sectors that rely on WooCommerce for product catalog management. High-risk sectors include: (1) Retail & E-commerce platforms selling through Noon, Zando, and independent WooCommerce stores; (2) ARAMCO and energy sector supply chain management systems using WooCommerce for vendor portals; (3) Healthcare e-commerce platforms distributing medical supplies; (4) Telecom providers (STC, Mobily, Zain) managing product feeds for accessories and services; (5) Government procurement portals using WooCommerce. The attack requires administrator social engineering, making it particularly dangerous in organizations with limited security awareness training. Feed manipulation could lead to incorrect product pricing, inventory mismanagement, and data loss affecting customer transactions.
🏢 Affected Saudi Sectors
E-commerce & Retail
Energy (ARAMCO supply chain)
Healthcare (medical supplies distribution)
Telecommunications (STC, Mobily, Zain)
Government (procurement portals)
Logistics & Supply Chain
Financial Services (payment processing through WooCommerce)
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism (privilege escalation via admin actions)
T1185 - Traffic Signaling (CSRF attack vector)
T1566.002 - Phishing: Spearphishing Link (social engineering to trigger CSRF)
T1537 - Transfer Data to Cloud Account (potential data exfiltration via feed manipulation)
T1565.001 - Data Destruction: Stored Data Manipulation (feed deletion and modification)
T1087 - Account Discovery (targeting administrator accounts)
T1110 - Brute Force (potential credential attacks on admin accounts)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the Product Feed PRO plugin immediately until a patch is released
2. Review WordPress admin access logs for suspicious AJAX requests to the vulnerable functions (ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, ajax_fix_duplicate_feed)
3. Audit all feed configurations and custom attributes for unauthorized modifications
4. Restore feed data from clean backups if tampering is detected
COMPENSATING CONTROLS (until patch available):
5. Implement Web Application Firewall (WAF) rules to block AJAX requests to vulnerable endpoints from external sources
6. Restrict WordPress admin panel access to specific IP ranges (whitelist corporate networks)
7. Enforce multi-factor authentication (MFA) for all administrator accounts
8. Implement CSRF tokens at the application level using WordPress nonce verification plugins
9. Monitor for suspicious admin activity using WordPress security plugins (Wordfence, Sucuri)
DETECTION RULES:
10. Log and alert on POST requests to /wp-admin/admin-ajax.php containing: action=ajax_migrate_to_custom_post_type OR action=ajax_adt_clear_custom_attributes_product_meta_keys OR action=ajax_update_file_url_to_lower_case OR action=ajax_use_legacy_filters_and_rules OR action=ajax_fix_duplicate_feed
11. Monitor for requests lacking valid WordPress nonce parameters
12. Alert on feed configuration changes without corresponding admin user session activity
PATCHING GUIDANCE:
13. Subscribe to AdTribes security notifications for patch release
14. Plan immediate update to patched version once available
15. Test patch in staging environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل مكون Product Feed PRO فوراً حتى يتم إصدار تصحيح
2. مراجعة سجلات الوصول إلى مسؤول WordPress للطلبات المريبة من AJAX إلى الوظائف الضعيفة
3. تدقيق جميع تكوينات الخلاصات والسمات المخصصة للتعديلات غير المصرح بها
4. استعادة بيانات الخلاصات من النسخ الاحتياطية النظيفة إذا تم اكتشاف التلاعب
الضوابط التعويضية (حتى توفر التصحيح):
5. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات AJAX إلى نقاط النهاية الضعيفة من المصادر الخارجية
6. تقييد الوصول إلى لوحة مسؤول WordPress إلى نطاقات IP محددة
7. فرض المصادقة متعددة العوامل (MFA) لجميع حسابات المسؤول
8. تنفيذ رموز CSRF على مستوى التطبيق باستخدام مكونات التحقق من nonce في WordPress
9. مراقبة النشاط المريب للمسؤول باستخدام مكونات أمان WordPress
قواعد الكشف:
10. تسجيل والتنبيه على طلبات POST إلى /wp-admin/admin-ajax.php التي تحتوي على الإجراءات الضعيفة
11. مراقبة الطلبات التي تفتقد معاملات nonce صحيحة
12. التنبيه على تغييرات تكوين الخلاصات دون نشاط جلسة مستخدم مسؤول مقابل
توجيهات التصحيح:
13. الاشتراك في إخطارات أمان AdTribes لإصدار التصحيح
14. التخطيط للتحديث الفوري إلى الإصدار المصحح عند توفره
15. اختبار التصحيح في بيئة التدريج قبل نشره في الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures (CSRF protection requirements)
A.6.1.2 - Access Control (administrator account protection)
A.7.1.1 - Cryptography (nonce validation and CSRF token implementation)
A.8.1.1 - Audit Logging (monitoring of admin actions and AJAX requests)
A.12.4.1 - Logging and Monitoring (detection of unauthorized feed modifications)
🔵 SAMA CSF
Governance & Risk Management - Risk Assessment and Management
Information & Cybersecurity - Access Control and Authentication
Information & Cybersecurity - Audit and Accountability
Operational Resilience - Incident Detection and Response
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.2 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices
A.8.2.1 - User registration and de-registration
A.8.2.3 - Management of privileged access rights
A.8.3.1 - Password management
A.9.2.1 - User access management
A.9.4.3 - Segregation of duties
A.12.4.1 - Event logging
A.12.4.3 - Protection of log information
🟣 PCI DSS v4.0.1
Requirement 6.5.9 - Protection against CSRF attacks
Requirement 7.1 - Limit access to system components by business need to know
Requirement 8.1 - Assign unique ID to each person with computer access
Requirement 8.2 - Ensure proper user authentication
Requirement 10.1 - Implement audit trails for all system components