CVE-2026-6932: CWE-352 Cross-Site Request Forgery (CSRF) in hemant29 Woo Commerce Minimum Weight
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
AI Analysis
Technical Summary
The Woo Commerce Minimum Weight plugin for WordPress suffers from a CSRF vulnerability due to the absence of nonce verification on the settings update handler in edit-weight.php. This flaw enables attackers to perform unauthorized changes to the minimum order weight configuration by convincing an administrator to execute a crafted POST request. The vulnerability affects all versions up to and including 3.0.1. The CVSS 3.1 base score is 4.3, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, and user interaction needed. No official fix or patch has been documented as of the publication date.
Potential Impact
An attacker can modify the minimum order weight setting of the Woo Commerce Minimum Weight plugin without authentication by exploiting the CSRF vulnerability. This could lead to unintended changes in e-commerce order restrictions, potentially disrupting business operations or causing confusion. There is no direct impact on confidentiality or availability reported. No known exploits have been observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious when clicking links or visiting untrusted sites while logged into WordPress with administrative privileges. Implementing additional CSRF protections or using security plugins that enforce nonce verification may help mitigate the risk.
CVE-2026-6932: CWE-352 Cross-Site Request Forgery (CSRF) in hemant29 Woo Commerce Minimum Weight
Description
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Woo Commerce Minimum Weight plugin for WordPress suffers from a CSRF vulnerability due to the absence of nonce verification on the settings update handler in edit-weight.php. This flaw enables attackers to perform unauthorized changes to the minimum order weight configuration by convincing an administrator to execute a crafted POST request. The vulnerability affects all versions up to and including 3.0.1. The CVSS 3.1 base score is 4.3, reflecting a medium severity level with network attack vector, low attack complexity, no privileges required, and user interaction needed. No official fix or patch has been documented as of the publication date.
Potential Impact
An attacker can modify the minimum order weight setting of the Woo Commerce Minimum Weight plugin without authentication by exploiting the CSRF vulnerability. This could lead to unintended changes in e-commerce order restrictions, potentially disrupting business operations or causing confusion. There is no direct impact on confidentiality or availability reported. No known exploits have been observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious when clicking links or visiting untrusted sites while logged into WordPress with administrative privileges. Implementing additional CSRF protections or using security plugins that enforce nonce verification may help mitigate the risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-23T18:19:12.344Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a02e311cbff5d8610bad612
Added to database: 5/12/2026, 8:21:37 AM
Last enriched: 5/12/2026, 8:38:22 AM
Last updated: 5/13/2026, 4:49:47 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.