Refine your search
15 vulnerabilities found for BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net by realmag777
CVE-2026-1672 (GCVE-0-2026-1672)
Vulnerability from cvelistv5
Published
2026-04-08 11:16
Modified
2026-04-08 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T14:47:19.683485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:13:41.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:41.014Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3457263/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3465138/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-30T01:36:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net \u003c= 1.1.5 - Cross-Site Request Forgery to Product Data Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1672",
"datePublished": "2026-04-08T11:16:58.519Z",
"dateReserved": "2026-01-30T01:19:20.746Z",
"dateUpdated": "2026-04-08T17:18:41.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1673 (GCVE-0-2026-1673)
Vulnerability from cvelistv5
Published
2026-04-08 11:16
Modified
2026-04-08 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T13:02:09.168870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T13:02:24.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:46.856Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3457263/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3465138/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-30T01:36:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net \u003c= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1673",
"datePublished": "2026-04-08T11:16:57.236Z",
"dateReserved": "2026-01-30T01:19:54.849Z",
"dateUpdated": "2026-04-08T16:40:46.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-31430 (GCVE-0-2024-31430)
Vulnerability from cvelistv5
Published
2024-04-10 19:10
Modified
2024-08-02 01:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional, realmag777 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net.This issue affects WOLF – WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.1; BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | WOLF – WordPress Posts Bulk Editor and Manager Professional |
Version: n/a < |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T20:29:49.441192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T20:31:57.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bulk-editor/wordpress-wolf-wordpress-posts-bulk-editor-and-manager-professional-plugin-1-0-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woo-bulk-editor/wordpress-bear-bulk-editor-and-products-manager-professional-for-woocommerce-plugin-1-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bulk-editor",
"product": "WOLF \u2013 WordPress Posts Bulk Editor and Manager Professional",
"vendor": "realmag777",
"versions": [
{
"changes": [
{
"at": "1.0.8.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.8.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-bulk-editor",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"changes": [
{
"at": "1.1.4.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.4.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF \u2013 WordPress Posts Bulk Editor and Manager Professional, realmag777 BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net.\u003cp\u003eThis issue affects WOLF \u2013 WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.1; BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.1.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF \u2013 WordPress Posts Bulk Editor and Manager Professional, realmag777 BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net.This issue affects WOLF \u2013 WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.1; BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T19:10:01.565Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/bulk-editor/wordpress-wolf-wordpress-posts-bulk-editor-and-manager-professional-plugin-1-0-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woo-bulk-editor/wordpress-bear-bulk-editor-and-products-manager-professional-for-woocommerce-plugin-1-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u0026nbsp;WOLF plugin to\u0026nbsp;1.0.8.2 or a higher version.\u003cbr\u003eUpdate\u0026nbsp;BEAR plugin to\u0026nbsp;1.1.4.2 or a higher version."
}
],
"value": "Update\u00a0WOLF plugin to\u00a01.0.8.2 or a higher version.\nUpdate\u00a0BEAR plugin to\u00a01.1.4.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR and WOLF WordPress plugins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-31430",
"datePublished": "2024-04-10T19:10:01.565Z",
"dateReserved": "2024-04-03T12:22:47.292Z",
"dateUpdated": "2024-08-02T01:52:56.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24834 (GCVE-0-2024-24834)
Vulnerability from cvelistv5
Published
2024-02-08 13:13
Modified
2024-08-01 23:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net allows Stored XSS.This issue affects BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-08T18:01:56.390629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:46.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:13.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woo-bulk-editor/wordpress-bear-plugin-1-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-bulk-editor",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"changes": [
{
"at": "1.1.4.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in realmag777 BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net allows Stored XSS.\u003cp\u003eThis issue affects BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in realmag777 BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net allows Stored XSS.This issue affects BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net: from n/a through 1.1.4.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T13:13:18.112Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woo-bulk-editor/wordpress-bear-plugin-1-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.1.4.1 or a higher version."
}
],
"value": "Update to\u00a01.1.4.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BEAR Plugin \u003c= 1.1.4 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-24834",
"datePublished": "2024-02-08T13:13:18.112Z",
"dateReserved": "2024-01-31T18:26:14.722Z",
"dateUpdated": "2024-08-01T23:28:13.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4941 (GCVE-0-2023-4941)
Vulnerability from cvelistv5
Published
2023-10-20 07:29
Modified
2026-04-08 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_swap function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc20f303-cac3-4517-9c45-153c410a13af?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L521"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:22:45.946483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:04:39.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_swap function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:38.808Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc20f303-cac3-4517-9c45-153c410a13af?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Missing Authorization to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4941",
"datePublished": "2023-10-20T07:29:29.267Z",
"dateReserved": "2023-09-13T14:03:49.866Z",
"dateUpdated": "2026-04-08T17:18:38.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4926 (GCVE-0-2023-4926)
Vulnerability from cvelistv5
Published
2023-10-20 07:29
Modified
2026-04-08 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulk_delete_products function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab633506-63a1-4be1-b402-c7f0bcc4ea7a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulk/bulk.php#L159"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulk/bulk.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulk%2Fbulk.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:22:52.613693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:05:24.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulk_delete_products function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:35.221Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab633506-63a1-4be1-b402-c7f0bcc4ea7a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulk/bulk.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulk/bulk.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulk%2Fbulk.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Product Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4926",
"datePublished": "2023-10-20T07:29:26.995Z",
"dateReserved": "2023-09-12T21:05:28.432Z",
"dateUpdated": "2026-04-08T17:14:35.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4924 (GCVE-0-2023-4924)
Vulnerability from cvelistv5
Published
2023-10-20 07:29
Modified
2026-04-08 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dfd0246-4265-4dde-8a1e-18b7042eae74?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:05.254184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:06:20.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:00.833Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dfd0246-4265-4dde-8a1e-18b7042eae74?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Missing Authorization to Product Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4924",
"datePublished": "2023-10-20T07:29:22.473Z",
"dateReserved": "2023-09-12T20:05:59.613Z",
"dateUpdated": "2026-04-08T17:03:00.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4923 (GCVE-0-2023-4923)
Vulnerability from cvelistv5
Published
2023-10-20 07:29
Modified
2026-04-08 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_delete function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a4db03d-ec40-4145-aa95-fee78bda5205?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:08.019580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:06:26.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_delete function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:20.039Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a4db03d-ec40-4145-aa95-fee78bda5205?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Product Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4923",
"datePublished": "2023-10-20T07:29:22.008Z",
"dateReserved": "2023-09-12T20:01:43.671Z",
"dateUpdated": "2026-04-08T17:02:20.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4935 (GCVE-0-2023-4935)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the create_profile function. This makes it possible for unauthenticated attackers to create profiles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/639f3941-7783-4500-aca4-5e8155db6460?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/classes/models/profiles.php#L191"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/classes/models/profiles.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fclasses%2Fmodels%2Fprofiles.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:17.219044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:07:05.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the create_profile function. This makes it possible for unauthenticated attackers to create profiles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:23.805Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/639f3941-7783-4500-aca4-5e8155db6460?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/classes/models/profiles.php#L191"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/classes/models/profiles.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fclasses%2Fmodels%2Fprofiles.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Profile Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4935",
"datePublished": "2023-10-20T06:35:28.217Z",
"dateReserved": "2023-09-13T13:05:09.920Z",
"dateUpdated": "2026-04-08T16:57:23.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4920 (GCVE-0-2023-4920)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_save_options function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, input sanitization and escaping is insufficient resulting in the possibility of malicious script injection.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58d25eeb-b12c-4850-8308-eaa30982b5a8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L805"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/index.php?contextall=1\u0026old=2968292\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Findex.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:23.052765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:07:23.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_save_options function. This makes it possible for unauthenticated attackers to modify the plugin\u0027s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, input sanitization and escaping is insufficient resulting in the possibility of malicious script injection."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:54:38.395Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58d25eeb-b12c-4850-8308-eaa30982b5a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L805"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/index.php?contextall=1\u0026old=2968292\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Findex.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4920",
"datePublished": "2023-10-20T06:35:23.470Z",
"dateReserved": "2023-09-12T18:37:12.514Z",
"dateUpdated": "2026-04-08T16:54:38.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4937 (GCVE-0-2023-4937)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_apply_default_combination function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40bf51bf-efb2-4504-815b-4681d1078f77?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L286"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:26.023607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:07:55.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_apply_default_combination function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:29.634Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40bf51bf-efb2-4504-815b-4681d1078f77?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L286"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4937",
"datePublished": "2023-10-20T06:35:19.176Z",
"dateReserved": "2023-09-13T13:53:48.655Z",
"dateUpdated": "2026-04-08T16:48:29.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4940 (GCVE-0-2023-4940)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_swap function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c5e524-ef4d-48c7-baa0-595f8060a167?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L521"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:42.970998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:10:17.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_swap function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:11.352Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/31c5e524-ef4d-48c7-baa0-595f8060a167?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4940",
"datePublished": "2023-10-20T06:35:15.630Z",
"dateReserved": "2023-09-13T14:03:45.225Z",
"dateUpdated": "2026-04-08T16:45:11.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4943 (GCVE-0-2023-4943)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d10475f-83dd-4e59-83e4-aeaa72a22b96?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L719"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:23:51.808822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:10:41.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:03.765Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d10475f-83dd-4e59-83e4-aeaa72a22b96?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L719"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Missing Authorization to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4943",
"datePublished": "2023-10-20T06:35:13.763Z",
"dateReserved": "2023-09-13T14:07:19.587Z",
"dateUpdated": "2026-04-08T16:44:03.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4942 (GCVE-0-2023-4942)
Vulnerability from cvelistv5
Published
2023-10-20 06:35
Modified
2026-04-08 16:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_visibility function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26d8b75b-befa-4c6a-b072-0da44e437174?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L719"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:24:00.688695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:11:05.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_visibility function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:49.480Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26d8b75b-befa-4c6a-b072-0da44e437174?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L719"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Cross-Site Request Forgery to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4942",
"datePublished": "2023-10-20T06:35:12.339Z",
"dateReserved": "2023-09-13T14:06:45.859Z",
"dateUpdated": "2026-04-08T16:42:49.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4938 (GCVE-0-2023-4938)
Vulnerability from cvelistv5
Published
2023-10-18 07:31
Modified
2026-04-08 17:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| realmag777 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net |
Version: 0 ≤ 1.1.3.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:52.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c42f56a2-b9f9-40ef-86ad-fea6cf2e29f8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L286"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:24:30.389370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:13:33.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEAR \u2013 Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net",
"vendor": "realmag777",
"versions": [
{
"lessThanOrEqual": "1.1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:33.324Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c42f56a2-b9f9-40ef-86ad-fea6cf2e29f8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L286"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1\u0026old=2844667\u0026old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BEAR \u003c= 1.1.3.3 - Missing Authorization to Product Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4938",
"datePublished": "2023-10-18T07:31:17.079Z",
"dateReserved": "2023-09-13T13:58:21.872Z",
"dateUpdated": "2026-04-08T17:20:33.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}