Security Alert Summary
The Product Pricing Table by WooBeWoo WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to and including 1.1.0. Missing or incorrect nonce validation on specific functions can allow an attacker to trick a site administrator into performing actions that inject scripts into pages or remove pricing tables via a forged request.
CVE Details
- CVE ID:
CVE-2026-1852 - Affected component: Product Pricing Table by WooBeWoo plugin
- Affected versions: All versions up to and including 1.1.0
- Published: April 15, 2026 at 12:16:38 PM
- Last modified: April 15, 2026 at 12:16:38 PM
- CVSS v3.1: Base score 6.1 – MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: REQUIRED
- Scope: CHANGED
- Confidentiality Impact: LOW
- Integrity Impact: LOW
- Availability Impact: NONE
- Authentication / Privileges: No authentication or elevated privileges required for the underlying CSRF condition (per CVSS: PR:N). User interaction is required.
- Primary impact: Limited confidentiality and integrity impact (LOW); no direct availability impact indicated.
- Weakness: CWE-352 (Cross-Site Request Forgery)
Technical Details
The vulnerability is a Cross-Site Request Forgery caused by missing or incorrect nonce validation on the updateLabel() and remove() functions in the plugin. Because these functions lack proper nonce checks, a crafted request from an attacker can cause an administrative user to perform actions unintentionally if they interact with attacker-controlled content (for example, clicking a link).
Documented impacts include the ability for an attacker to inject arbitrary web scripts into pages or to delete pricing tables via a forged request when an administrative user is tricked into performing the action. The issue exists in the request handling for the named functions where expected nonce validation is absent or incorrect.
How This Could Impact Your Website
Consider a site with a site owner, an internal content editor, and an external contractor who occasionally manages pricing content. If an administrator-level user interacts with attacker-controlled content (for example, clicking on a link), an attacker could use the missing nonce validation to submit requests that the site treats as legitimate. Practical consequences may include injection of scripts that alter front-end content or collect data visible on pages, and deletion of pricing tables used on product or landing pages.
Potential practical effects include exposure of information visible on affected pages (which could increase the risk of targeted phishing or social engineering) and disruption to published pricing content that affects customers and staff workflows. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and editor accounts with access to plugin actions.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior related to content changes or unexpected requests.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
