Cross-Site Request Forgery in Advanced Product Fields for WooCommerce Plugin by WordPress
CVE-2025-13924

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Product Fields (product Addons) For WooCommerce
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-13924?

The Advanced Product Fields for WooCommerce plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) flaw. This vulnerability affects all versions up to and including 1.6.17 due to inadequate nonce validation in the 'maybe_duplicate' function. It allows unauthenticated attackers to exploit this issue by tricking site administrators into performing actions, such as clicking on malicious links, which can result in unauthorized duplication and publication of product field groups, including those that are in draft or pending status.

Affected Version(s)

Advanced Product Fields (Product Addons) for WooCommerce 0 <= 1.6.17

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/Baodaica/advanced-product-fields-for-w...

https://plugins.trac.wordpress.org/changeset/3411740/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Dec 2, 2025

Credit

Nguyen C

CVE-2025-13924 Data

JSON