Attack Vectors

CVE-2026-1852 affects the Product Pricing Table by WooBeWoo WordPress plugin (slug: woo-product-pricing-tables) in versions up to and including 1.1.0. This is a Medium severity issue (CVSS 6.1).

The primary attack path is Cross-Site Request Forgery (CSRF): an attacker can send or present a crafted link or web request and trick a logged-in site administrator into triggering it (for example, by clicking a link while authenticated to the WordPress admin). The attacker does not need to be logged in, but the attack relies on admin interaction.

If successful, the forged request can be used to store malicious script content on the site (stored XSS) or delete pricing tables.

Security Weakness

The vulnerability is caused by missing or incorrect nonce validation in the plugin’s updateLabel() and remove() functions. Nonces are a standard WordPress control used to ensure that administrative actions are intentionally initiated by authorized users.

When nonce checks are absent or implemented incorrectly, a third party can forge requests that appear legitimate to WordPress—creating an opening for stored cross-site scripting and unauthorized deletion actions when an admin is induced to interact with attacker-controlled content.

Reference: CVE-2026-1852 record and the published advisory source from Wordfence.

Technical or Business Impacts

Brand and customer trust risk: Stored XSS can allow malicious code to run in visitors’ browsers on affected pages. This can damage credibility, especially if customers see unexpected popups, redirects, or suspicious content associated with your brand.

Revenue and conversion impact: Pricing tables are directly tied to sales performance. Unauthorized pricing table deletion can disrupt product presentation, reduce conversion rates, and create urgent unplanned work for marketing and web teams.

Compliance and data exposure concerns: While the advisory describes script injection (not a confirmed data breach), stored XSS can enable harmful downstream outcomes (for example, interfering with user sessions or page content), which may elevate incident response and compliance review needs depending on what content is impacted.

Operational disruption: Remediation often involves emergency plugin updates, validation of site content, review for injected scripts, and restoring deleted assets—creating avoidable downtime and marketing campaign delays.

Recommended action: Update Product Pricing Table by WooBeWoo to version 1.1.1 or newer (the patched release) per the advisory remediation guidance.

Similar Attacks

Stored XSS issues have impacted major web platforms (including WordPress itself) in the past, underscoring how script injection can become a business problem—not just a technical one. For example: CVE-2019-8942 (WordPress core stored XSS).