The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13924. This vulnerability exists in all versions up to and including 1.6.17 due to missing or incorrect nonce validation in the 'maybe_duplicate' function. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. The absence or improper implementation of nonce checks allows an attacker to craft a malicious request that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), causes the duplication and publication of product field groups, including those in draft or pending states. This unauthorized action can alter the configuration of product addons, potentially leading to inconsistent product data or enabling further exploitation through manipulated product fields. The attack vector requires no authentication by the attacker but depends on social engineering to induce an administrator to perform the action, thus involving user interaction. The vulnerability does not expose sensitive data (no confidentiality impact) nor does it affect system availability. The CVSS 3.1 base score is 4.3, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, but user interaction needed. No patches or known exploits have been reported at the time of publication. The vulnerability was assigned by Wordfence and publicly disclosed on December 9, 2025.

For European organizations operating WooCommerce-based e-commerce platforms using the affected Advanced Product Fields plugin, this vulnerability poses a risk of unauthorized modification of product field configurations. While it does not directly compromise customer data confidentiality or system availability, unauthorized duplication and publication of product field groups can disrupt product presentation, pricing, or options, potentially leading to customer confusion, loss of sales, or reputational damage. Additionally, manipulated product fields could be leveraged as a foothold for further attacks, such as injecting malicious scripts or misleading customers. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in organizations with large or distributed admin teams. Given the widespread use of WooCommerce in Europe, particularly in countries with mature e-commerce markets, the impact could be significant if exploited at scale. The absence of known exploits reduces immediate risk but does not preclude future attacks.

1. Monitor the plugin vendor’s official channels for a security patch and apply updates promptly once available. 2. Until a patch is released, implement custom nonce validation on the 'maybe_duplicate' function by modifying the plugin code or using WordPress hooks to enforce nonce checks on all state-changing requests. 3. Restrict administrative access to trusted personnel and enforce multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 4. Educate administrators about the risks of clicking unsolicited links and implement email filtering to reduce phishing attempts. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the affected endpoints. 6. Regularly audit product field configurations and logs for unauthorized changes to detect potential exploitation early. 7. Consider isolating or limiting the use of the affected plugin if immediate patching is not feasible, or temporarily disabling the 'maybe_duplicate' functionality if possible.