Description
Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.
Published: 2026-01-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via CSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a cross‑site request forgery (CWE‑352) flaw in the Stock Manager for WooCommerce plugin. It allows an attacker to forge HTTP requests that are processed as if they came from an authenticated user, potentially enabling unauthorized changes to the WooCommerce store’s inventory or configuration. This can compromise both the integrity of product stock levels and the operational functionality of the e‑commerce site.

Affected Systems

All versions of the Stock Manager for WooCommerce plugin released by storeapps prior to 3.6.0 are affected. WordPress sites using any of these plugin releases are vulnerable if a user with shop‑manager or higher privileges is authenticated and visits a maliciously crafted link.

Risk and Exploitability

The CVSS v3.1 score of 5.4 indicates a moderate risk level. An Exploit Prediction Scoring System (EPSS) score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires the target user to be logged in or for an attacker to hijack their session cookies. If these conditions are met, an attacker can execute CSRF actions that manipulate inventory data and shop settings.

Generated by OpenCVE AI on April 16, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stock Manager for WooCommerce plugin to version 3.6.0 or later.
  • If an immediate update is not available, disable the plugin to prevent any CSRF actions.
  • Ensure authentication cookies are transmitted only over HTTPS and consider enforcing two‑factor authentication for shop‑manager accounts to reduce the risk of credential compromise.

Generated by OpenCVE AI on April 16, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Storeapps
Storeapps stock Manager For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Storeapps
Storeapps stock Manager For Woocommerce
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.
Title WordPress Stock Manager for WooCommerce plugin < 3.6.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Storeapps Stock Manager For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:47.927Z

Reserved: 2026-01-22T14:42:32.873Z

Link: CVE-2026-24365

cve-icon Vulnrichment

Updated: 2026-01-22T20:30:33.221Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:39.937

Modified: 2026-04-28T03:16:03.593

Link: CVE-2026-24365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses