CVE-2026-1672
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function, allowing unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request, provided they trick a site administrator or shop manager into performing an action such as clicking a link.
Risk Assessment
The risk involves unauthorized modification of product data in the WooCommerce store, which can lead to manipulation of prices, descriptions, and other critical information, affecting store integrity and customer trust.
Recommendation
It is recommended to immediately update the BEAR – Bulk Editor and Products Manager Professional plugin to the latest available version that includes a fix for the missing nonce validation. Additionally, consider implementing additional CSRF protection mechanisms such as using tokens in forms.
Original NVD description (English source)
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.

