The Advanced Product Fields (Product Addons) plugin for WooCommerce, developed by maartenbelmans, is vulnerable to a Cross-Site Request Forgery (CSRF) attack identified as CVE-2025-13924. This vulnerability affects all versions up to and including 1.6.17. The root cause is the absence or improper implementation of nonce validation in the 'maybe_duplicate' function, which is responsible for duplicating product field groups. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce checks, attackers can craft malicious URLs or forms that, when visited or submitted by an authenticated site administrator, trigger unintended duplication and publication of product field groups, including those in draft or pending states. This unauthorized action can alter product configurations, potentially leading to incorrect product options being displayed or sold. The attack vector requires no authentication by the attacker but depends on social engineering to convince an administrator to interact with the malicious request. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited impact on confidentiality and availability but a tangible impact on integrity. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. The vulnerability highlights the importance of proper nonce validation in WordPress plugins handling sensitive administrative functions.

For European organizations operating WooCommerce-based e-commerce sites using the affected Advanced Product Fields plugin, this vulnerability poses a risk to the integrity of product data. Unauthorized duplication and publication of product field groups can lead to incorrect product options being presented to customers, potentially causing confusion, loss of sales, or reputational damage. While the vulnerability does not directly expose sensitive customer data or disrupt site availability, the manipulation of product configurations can indirectly affect business operations and customer trust. In regulated sectors or industries with strict e-commerce compliance requirements, such unauthorized changes could also raise compliance concerns. The requirement for administrator interaction limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted by phishing or social engineering campaigns. Given WooCommerce's popularity across Europe, especially in small and medium enterprises, the impact could be widespread if unaddressed.

European organizations should immediately verify if they use the Advanced Product Fields (Product Addons) plugin for WooCommerce and check the plugin version. Since no official patch links are currently provided, administrators should consider the following mitigations: (1) Temporarily disable or restrict access to the plugin's duplication functionality until a patch is available. (2) Implement strict administrative access controls and limit administrator exposure to untrusted content to reduce the risk of social engineering. (3) Educate administrators about the risks of clicking unknown or suspicious links, especially those that could trigger administrative actions. (4) Monitor logs for unusual duplication or publication activities related to product field groups. (5) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'maybe_duplicate' function endpoint. (6) Follow closely for official patches or updates from the plugin developer and apply them promptly once released. (7) Consider using security plugins that enforce nonce validation or additional CSRF protections as an interim safeguard.