Attack Vectors

CVE-2026-22461 is a Medium-severity vulnerability (CVSS 5.3; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) affecting Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels (slug: webappick-product-feed-for-woocommerce) in versions up to and including 6.6.18.

Because the issue can be triggered over the network and does not require a logged-in user, an attacker can attempt exploitation remotely against sites running vulnerable versions. No user interaction is required.

Official CVE record: https://www.cve.org/CVERecord?id=CVE-2026-22461

Security Weakness

The CTX Feed plugin is vulnerable due to a missing authorization (capability) check on a function in versions through 6.6.18. In practical terms, this means the plugin does not adequately verify that a request is allowed before performing an action.

As a result, unauthenticated attackers may be able to perform an unauthorized action through the affected function. (The public advisory describes the condition and impact at a high level without detailing the exact action.)

Remediation: Update CTX Feed to version 6.6.19 or newer (patched). Reference advisory source: Wordfence vulnerability report.

Technical or Business Impacts

While this CVE is rated Medium and the CVSS score indicates no direct confidentiality loss and no availability impact, it does indicate a risk of unauthorized changes (integrity impact). For ecommerce teams, integrity issues are often the most business-relevant: they can undermine the accuracy and trustworthiness of automation that supports revenue-generating channels.

Depending on what the unauthorized action enables in your environment, potential business impacts may include: disruption or manipulation of product feed operations, incorrect product listings on shopping/social channels, brand damage from mismatched pricing/availability, and additional operational workload for marketing and ecommerce teams to diagnose and correct downstream issues.

For compliance and risk stakeholders, the key takeaway is governance: a missing authorization check can allow actions outside approved workflows, reducing confidence in auditability and change control around commerce-related integrations.

Similar Attacks

Missing authorization and exposed functionality in WordPress components has driven high-impact incidents in the past. Examples to be aware of:

CVE-2020-25213 (File Manager plugin) — unauthenticated attackers could upload files leading to remote code execution
WordPress 4.7.2 Security Release — addressed REST API content injection issues impacting site integrity
CVE-2021-29447 (WordPress core) — media handling flaw that could be abused in certain configurations