Cross‑Site Request Forgery (CSRF) was found in the WP Inventory Manager plugin for WordPress. The plugin exposes endpoints that perform inventory actions without verifying that the request originated from the legitimate site, exposing a missing CSRF protection token. An attacker can trick an authenticated user into submitting a request to the plugin, which will then carry out inventory changes, such as adding, editing, or deleting items, under the user’s credentials. The flaw does not directly expose sensitive data but can compromise data integrity and potentially affect business operations that rely on accurate inventory records.

WordPress installations that use the WP Inventory Manager plugin, version 2.3.4 or earlier. The vulnerability applies to all plugin versions up to and including 2.3.4, regardless of the host WordPress theme or other plugins. Users running these versions should verify the installed version and update accordingly.

The CVSS score of 4.3 indicates a low‑to‑moderate severity, and the EPSS score of less than 1% suggests a small probability of exploitation in the wild. However, because the attacker only needs a victim’s authenticated session cookie and a malicious link or form, the attack vector is readily achievable via phishing or malicious content injected into user‑facing pages. While the vulnerability is not listed in CISA’s KEV catalog, organizations that store critical inventory data should treat it as a valid concern, particularly if the WordPress instance is publicly exposed and users actively perform transaction tasks.