The Advanced Product Fields (Product Addons) plugin for WooCommerce, widely used to extend product customization capabilities on WordPress e-commerce sites, contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13924. This vulnerability exists in all versions up to and including 1.6.17 due to missing or incorrect nonce validation in the 'maybe_duplicate' function, which handles duplication and publication of product field groups. Nonces are security tokens used to verify the legitimacy of requests, and their absence or improper implementation allows attackers to craft malicious requests that, when executed by an authenticated administrator, cause unintended actions such as duplicating and publishing product field groups, including those in draft or pending states. The attack vector requires no privileges or authentication by the attacker but depends on social engineering to convince an administrator to perform an action like clicking a specially crafted link. The impact is limited to integrity, as attackers can alter product configurations without direct access to sensitive data or system availability. The CVSS 3.1 base score is 4.3, reflecting low complexity of attack and user interaction requirement but no direct confidentiality or availability impact. No patches were linked at the time of publication, and no active exploits have been reported. This vulnerability highlights the importance of proper nonce validation in WordPress plugins to prevent CSRF attacks that leverage trusted user sessions.

The primary impact of this vulnerability is on the integrity of e-commerce product configurations. An attacker can manipulate product field groups by duplicating and publishing them without authorization, potentially leading to incorrect product options being displayed or sold. This could cause confusion for customers, disrupt sales processes, or damage brand reputation. While the vulnerability does not expose sensitive customer data or disrupt site availability, unauthorized changes to product fields could indirectly affect business operations and customer trust. Since exploitation requires an administrator to be tricked into clicking a malicious link, the risk is mitigated by user awareness but remains significant in environments with multiple administrators or less security-conscious personnel. Organizations relying heavily on WooCommerce with this plugin installed are at risk of unauthorized product configuration changes, which could be leveraged as part of larger attacks or fraud schemes.

Organizations should monitor for updates from the plugin vendor and apply patches promptly once released to address the nonce validation issue. Until a patch is available, administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or untrusted sources. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the plugin's endpoints can reduce risk. Limiting administrative access to trusted personnel and enforcing multi-factor authentication (MFA) for admin accounts can further mitigate exploitation potential. Additionally, reviewing and restricting the use of plugins to only those necessary and maintaining a minimal attack surface on WordPress installations is recommended. Regular audits of product field groups and logs can help detect unauthorized changes early. Finally, developers should adopt secure coding practices including proper nonce validation for all state-changing actions in WordPress plugins.