CVE-2026-6932 Overview
CVE-2026-6932 is a Cross-Site Request Forgery (CSRF) vulnerability in the Woo Commerce Minimum Weight plugin for WordPress. The flaw affects all versions up to and including 3.0.1. The plugin's edit-weight.php settings update handler lacks nonce verification, allowing unauthenticated attackers to forge requests against authenticated administrators. An attacker can trick a site administrator into clicking a malicious link or visiting an attacker-controlled page that submits a forged POST request. Successful exploitation modifies the minimum order weight setting on the targeted WooCommerce store. The weakness is classified under CWE-352 (Cross-Site Request Forgery).
Critical Impact
Unauthenticated attackers can alter WooCommerce minimum order weight settings by tricking administrators into visiting a malicious page, disrupting store order validation logic.
Affected Products
- Woo Commerce Minimum Weight plugin for WordPress, versions up to and including 3.0.1
- The vulnerable handler is located in edit-weight.php
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2026-05-12 - CVE-2026-6932 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-6932
Vulnerability Analysis
The Woo Commerce Minimum Weight plugin exposes a settings update endpoint through edit-weight.php that processes POST requests to change the configured minimum order weight. The handler accepts and applies submitted values without validating a WordPress nonce token. Nonces are the standard WordPress mechanism for confirming that a state-changing request originated from a legitimate, intentional user action within the admin interface.
Because the handler omits both wp_verify_nonce() and check_admin_referer() calls, the browser of an authenticated administrator becomes a confused deputy. Any cross-origin page can submit a form or fetch request that the administrator's browser will authenticate using existing WordPress session cookies. The server cannot distinguish a forged request from a legitimate one.
The impact is limited to integrity of the minimum weight configuration. Confidentiality and availability are not directly affected, and the attack requires user interaction from a privileged user.
Root Cause
The root cause is missing CSRF protection on a privileged state-changing operation. The plugin author did not implement nonce generation in the settings form or nonce verification in the request handler. This pattern is a well-documented anti-pattern in WordPress plugin development and maps directly to CWE-352.
Attack Vector
The attack proceeds in four steps. First, the attacker crafts an HTML page containing an auto-submitting form that targets the vulnerable WordPress site's edit-weight.php endpoint with arbitrary minimum weight values. Second, the attacker delivers the page through phishing, a forum post, a comment, or a compromised third-party site. Third, an authenticated WordPress administrator visits the page while logged in. Fourth, the administrator's browser submits the forged POST request with valid session cookies, and the plugin applies the attacker-supplied value. See the Wordfence Vulnerability Report and the vulnerable source in edit-weight.php for technical details.
Detection Methods for CVE-2026-6932
Indicators of Compromise
- Unexpected changes to the WooCommerce minimum order weight setting without corresponding administrator activity in audit logs.
- WordPress access logs showing POST requests to edit-weight.php with a Referer header pointing to an external or untrusted domain.
- POST requests to the plugin's settings handler that lack the expected admin-area Referer or originate from cross-site contexts.
Detection Strategies
- Inventory WordPress installations and identify sites running the Woo Commerce Minimum Weight plugin at version 3.0.1 or earlier.
- Review web server and WordPress audit logs for POST requests to edit-weight.php correlated with administrator session cookies and external referrers.
- Deploy a WordPress security plugin or web application firewall rule that flags state-changing admin POST requests missing the _wpnonce parameter.
Monitoring Recommendations
- Alert on configuration changes to WooCommerce shipping and order weight parameters outside of approved change windows.
- Monitor administrator browsing telemetry for visits to untrusted domains immediately preceding setting changes.
- Track plugin version inventory across the WordPress estate to detect unpatched instances of the Woo Commerce Minimum Weight plugin.
How to Mitigate CVE-2026-6932
Immediate Actions Required
- Identify all WordPress sites running the Woo Commerce Minimum Weight plugin at version 3.0.1 or earlier.
- Deactivate and remove the plugin if a patched version is not yet available and the functionality is not business-critical.
- Instruct WordPress administrators to log out of admin sessions when not actively managing the site to reduce CSRF exposure.
- Review the current minimum order weight configuration and restore the intended value if tampering is suspected.
Patch Information
No fixed version is identified in the available NVD record at the time of publication. Monitor the WordPress plugin repository and the Wordfence Vulnerability Report for the release that introduces nonce verification in edit-weight.php. Apply the update through the WordPress admin Plugins page or via wp-cli once available.
Workarounds
- Deploy a web application firewall rule that blocks POST requests to edit-weight.php lacking a same-origin Referer header.
- Restrict access to the WordPress admin area by IP allowlist or VPN to limit exposure of authenticated admin sessions to attacker-controlled pages.
- Use a browser profile dedicated to WordPress administration that does not visit untrusted sites during admin sessions.
- Enforce least privilege by reducing the number of accounts with administrator-level capabilities on the WooCommerce site.
# Example wp-cli commands to inventory and remove the vulnerable plugin
wp plugin list --name=woo-commerce-min-weight --fields=name,status,version
wp plugin deactivate woo-commerce-min-weight
wp plugin delete woo-commerce-min-weight
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
