WordPress Plugin Vulnerabilities

Extra Fees Plugin for WooCommerce < 4.3.4 - Cross-Site Request Forgery

Description

The Extra Fees Plugin for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woo-conditional-product-fees-for-checkout
Fixed in 4.3.4

References

CVE
CVE-2026-39671
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e233f47f-734f-4190-ac5f-b63d54ebd4a8

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Ba Khanh
Verified
No
WPVDB ID
66207bf0-055d-44b8-bf3d-7f86f7076e75

Timeline

Publicly Published
2026-02-19 (about 2 months ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-25 (about 19 days ago)

Other

Published
Title
Published
2019-06-27
Title
WP Better Permalinks <= 3.0.4 - CSRF allowing Option Update
Published
2020-04-27
Title
Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-05
Title
WP System <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-05-31
Title
WPMK Ajax Finder <= 1.0.1 - Stored Cross-Site Scripting via CSRF
Published
2025-04-01
Title
Query Wrangler < 1.5.55 - Cross-Site Request Forgery