Description
Cross-Site Request Forgery (CSRF) vulnerability in colabrio Stockie Extra stockie-extra allows Cross Site Request Forgery.This issue affects Stockie Extra: from n/a through <= 1.2.11.
Published: 2025-10-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Stockie Extra WordPress plugin contains a CSRF flaw that permits an attacker to cause authenticated users to perform unintended actions. By forging a request that includes the victim’s credentials, an attacker can manipulate the site’s state, potentially altering content or settings. This weakness is classified as CWE‑352 and directly impacts the integrity of the WordPress installation.

Affected Systems

The vulnerability affects the Stockie Extra plugin from all versions through 1.2.11. It is delivered by the vendor colabrio. Any WordPress site that has a vulnerable Stockie Extra plugin installed is impacted.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity, and the EPSS score is below 1 %, implying a low probability of exploitation. The vulnerability is not listed in CISA KEV. Exploitation requires a logged‑in user’s browser to be tricked into sending a forged request, so attackers rely on social engineering or malicious links rather than direct code execution. Because the EPSS score is low, the likelihood of exploitation in the wild is currently limited, but the risk rises if the plugin remains unpatched on sites with active administrators.

Generated by OpenCVE AI on April 29, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stockie Extra plugin to the latest version (>= 1.2.12) from the WordPress repository or the vendor’s download page.
  • If an update is not available, remove or disable the Stockie Extra plugin to eliminate the CSRF entry point.
  • Verify that all state‑changing actions in the site use nonces or other CSRF protections, and audit the remaining plugins for similar weaknesses.

Generated by OpenCVE AI on April 29, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in colabrio Stockie Extra stockie-extra allows Cross Site Request Forgery.This issue affects Stockie Extra: from n/a through <= 1.2.11.
Title WordPress Stockie Extra plugin <= 1.2.11 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:11.548Z

Reserved: 2025-10-29T03:08:02.189Z

Link: CVE-2025-64226

cve-icon Vulnrichment

Updated: 2025-10-29T14:39:56.805Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:43.567

Modified: 2026-04-27T16:16:35.660

Link: CVE-2025-64226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:30:19Z

Weaknesses