QSearchQSearch

CVE-2026-8904

4.3 MEDIUM

The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross...

Published: 2026-06-09 · Last updated: 2026-06-09

Severity and scoring

CVSS
4.3 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE
CWE-352

Description

The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-53739 Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which ... (4.3 MEDIUM)
  • CVE-2026-53736 Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonc... (4.3 MEDIUM)
  • CVE-2025-58468 A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center
  • CVE-2026-39170 SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php (6.3 MEDIUM)
  • CVE-2026-8940 The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9 (4.3 MEDIUM)