Hi Tony,
Thank you for bringing this to our attention and for sharing the Wordfence report.
For your kind information, CTX Feed fully complies with the security standards and guidelines of the WordPress plugin directory. At this time, we have not received any confirmed vulnerability reports from WordPress or other security audits related to our plugin.
That said, some security plugins (including Wordfence) may occasionally flag plugins based on heuristics or false positives. To help us properly investigate and understand the nature of this report, we kindly request you to share the following details if available:
- The exact vulnerability name or ID reported by Wordfence
- The detailed description of the issue shown in Wordfence
- Any steps or instructions to reproduce the issue
Once we have these details, our development team will thoroughly investigate the report and take appropriate action if any improvement is required.
We appreciate your cooperation and look forward to your response so we can assist you further.
Kind regards,
It was published on 2026-01-04.
https://patchstack.com/database/wordpress/plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability
I suggest integrating with a vulnerability API like PatchStack’s free mVDP (https://patchstack.com/for-plugins) or CVE.org (https://www.cve.org/AllResources/CveServices#build-your-own-client). Wordfence and related security plugins primarily use PatchStack to get vulnerabilities, and that is why it was flagged.
-
This reply was modified 4 months, 2 weeks ago by
Brennan Goewert.
-
This reply was modified 4 months, 2 weeks ago by Brennan Goewert. Reason: wrong publish date
I do not know much about these, Just sending you what you what I received from WordFence
Description
The CTX Feed plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.6.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.References
Missing Authorization
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NCVECVE-2026-22461CVSS5.3 (Medium)Publicly PublishedJanuary 4, 2026Last UpdatedJanuary 14, 2026ResearcherPPzzAArr
No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected Version <= 6.6.18
Hi @copperrefections @bgoewert
Thank you for bringing this to our attention and for sharing the report.
We take security matters very seriously. We are currently reviewing the reported issue regarding the missing capability check in CTX Feed versions up to 6.6.18, as referenced by Patchstack. Our development team has already started investigating the claim to verify the scope and impact of the reported behavior.
If the issue is confirmed, we will release a patched version as soon as possible and notify users immediately. We strongly encourage all users to keep the plugin updated and follow best security practices.
In the meantime, if you have specific details, proof of concept, or steps to reproduce the issue, we would greatly appreciate it if you could share them with us. This will help us address the matter more efficiently.
Thank you again for reporting this and helping us improve the security of CTX Feed.
Kind regards,
Hi,
The CTX Feed plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.6.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.References
Missing Authorization
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NCVECVE-2026-22461CVSS5.3 (Medium)Publicly PublishedJanuary 4, 2026Last UpdatedJanuary 14, 2026ResearcherPPzzAArr
Software TypePluginSoftware Slugwebappick-product-feed-for-woocommerce (view on ww.wp.xz.cn)Patched? NoRemediationNo known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.Affected Version
This is what WordFence says. I do not have too much knowledge about websites. I wish I could help you more.
Hi Again,
I have been using your plugin for a long time. Recently I had to add Multi Currency for WooCommerce plugin and this apparently adds ?wmc-currency= at the end of the URLs. Now because of this Google Merchant Center says “Unable to check product pages”
How Can I configure the Google Shopping feed so the URLs are clean without ?wmc-currency=?
I will really appreciate your advise.
Thank you,
Tony
Dear @copperrefections
A new version of CTX Feed has been released that addresses the issue. Please update the plugin to the latest version to resolve the problem.
Thank you,
Thank you very much, @mansary
Is there information as to how to configure the plugin to generate just clean, base URLs?
I appreciate your advise.
Hi @copperrefections
The possible reason you are getting currency parameters could be due a currency conversion plugin or could you please share a screenshot of the feed config and let us check how the feed is configured.
You can also reach us from here – webappick.com/contact.
Thank you,
