The Product Feed PRO for WooCommerce plugin by AdTribes is vulnerable to CSRF due to improper nonce validation in multiple AJAX endpoints (ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, ajax_fix_duplicate_feed). This allows unauthenticated attackers to induce site administrators to perform sensitive actions via forged requests. Affected versions include 13.4.6 through 13.5.2.1. The vulnerability impacts confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H). No vendor advisory or patch is currently available, and the plugin is not a cloud service, so remediation depends on vendor updates or user intervention.

Successful exploitation can lead to unauthorized modification and deletion of product feed data, including feed migration, clearing of transient caches, URL rewriting, toggling of legacy settings, and deletion of duplicated feed posts. This compromises the integrity and availability of the product feed data managed by the plugin. The vulnerability requires tricking an authenticated site administrator into performing an action, but no privileges are required to initiate the attack. The CVSS score of 8.8 reflects a high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should exercise caution when interacting with links or requests that could trigger these AJAX functions. Implementing additional CSRF protections or disabling the affected AJAX endpoints where feasible may reduce risk. Monitor official jkohlbach or plugin vendor channels for updates and apply patches promptly once available.