PatchSiren cyber security CVE debrief
CVE-2026-8904 yuluma CVE debrief
The FastPicker plugin for WordPress, an order picker and order management system (OMS) for WooCommerce, is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0.2. This vulnerability is due to missing or incorrect nonce validation on the settingsPage function. An unauthenticated attacker can exploit this vulnerability by tricking a site administrator into performing an action such as clicking on a link, allowing them to modify the plugin's settings. This includes toggling the webhook integration and changing the FastPicker and KDZ API URLs.
- Vendor
- yuluma
- Product
- FastPicker, an order picker and order management system (oms) for WooCommerce on steroids
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Administrators of WordPress sites using the FastPicker plugin, particularly those with versions up to and including 1.0.2, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The vulnerability has a CVSS score of 4.3 and a severity rating of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The weakness is classified as CWE-352.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the FastPicker plugin to a version beyond 1.0.2 as soon as possible.
- Implement additional security measures such as validating and sanitizing user input, and ensuring proper nonce validation for all sensitive actions within the plugin.
Evidence notes
Evidence for this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research.
Official resources
CVE-2026-8904 was published on 2026-06-09T05:16:40.280Z and modified on 2026-06-09T13:33:34.393Z.