{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39671", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:59.671Z", "datePublished": "2026-04-08T08:30:39.107Z", "dateUpdated": "2026-04-08T08:30:39.107Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-conditional-product-fees-for-checkout", "product": "Extra Fees Plugin for WooCommerce", "vendor": "Dotstore", "versions": [{"lessThanOrEqual": "4.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:43.296Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.<p>This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:39.107Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-conditional-product-fees-for-checkout/vulnerability/wordpress-extra-fees-plugin-for-woocommerce-plugin-4-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Extra Fees Plugin for WooCommerce plugin <= 4.3.3 - Cross Site Request Forgery (CSRF) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3."}], "id": "CVE-2026-39671", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:38.553", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-conditional-product-fees-for-checkout/vulnerability/wordpress-extra-fees-plugin-for-woocommerce-plugin-4-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Extra Fees Plugin for WooCommerce", "source": "cna", "vendor": "Dotstore"}, "product": "extra_fees_plugin_for_woocommerce", "vendor": "dotstore"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:59:41.161365+00:00", "value": {"mitigation_remediation": ["Upgrade the Extra Fees Plugin for WooCommerce to the latest release (4.3.4 or newer).", "If the upgrade cannot be performed immediately, enforce strict role\u2011based access control so that only trusted administrators can change fee configurations and ensure that any endpoint that modifies fees requires a valid CSRF protection token."], "summary": {"action": "Patch Now", "impact": "Unauthorized shop fee manipulation via CSRF"}, "threat_synthesis": {"affected_systems": "Any WordPress site running Dotstore Extra Fees Plugin for WooCommerce with a version up to and including 4.3.3 is affected. The vulnerability is present in all releases from the first available version up to 4.3.3, so any installation that has not been upgraded past that point is at risk.", "description_and_impact": "The Cross\u2011Site Request Forgery flaw in Dotstore Extra Fees Plugin for WooCommerce allows a remote attacker to force a logged\u2011in user to send arbitrary HTTP requests that change fee settings for product checkout. By exploiting the missing CSRF token or nonce validation, an attacker could add, modify or remove extra charges from the cart, which can lead to incorrect pricing, loss of revenue or a negative customer experience. This issue does not provide direct code execution but can undermine the integrity of the checkout flow.", "risk_and_exploitability": "No CVSS or EPSS scores are available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires a victim who is authenticated to the site and has permission to modify fee settings. Because the exploit hinges on user interaction with a malicious link or form, the likelihood of successful exploitation is moderate but could be higher in environments where administrators frequently log in from untrusted networks or devices. Until a patch is applied, the vulnerability poses a tangible risk to price integrity and revenue."}}}}, "created": "2026-04-08T19:28:01.742986+00:00", "updated": "2026-04-08T19:41:04.949916+00:00", "vendors": ["dotstore", "dotstore$PRODUCT$extra_fees_plugin_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}