Description
Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.11.0.
Published: 2026-04-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the WordPress Barcode Scanner with Inventory & Order Manager plugin. A malicious site could send a forged request that the plugin processes as though it were sent by an authenticated user, potentially causing unintended changes to inventory or order data. While it does not provide remote code execution, the ability to alter business data carries moderate risk to confidentiality and integrity.

Affected Systems

The affected product is the Barcode Scanner with Inventory & Order Manager plugin provided by Dmitry V., CEO of UKR Solution. All releases from the original build through and including version 1.11.0 are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and no EPSS data is available, so the exploitation probability is currently unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker designs a malicious web page that posts a request to the plugin’s endpoints while an authenticated user visits that page; successful exploitation would rely on that user’s valid session and on the plugin’s lack of origin or CSRF token validation as identified in CWE‑352.

Generated by OpenCVE AI on April 29, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Barcode Scanner with Inventory & Order Manager plugin to a version newer than 1.11.0 or to the latest release once available.
  • After upgrading, verify that all state‑changing actions require a valid CSRF token or session authentication and that cross‑origin requests are rejected.
  • If an immediate upgrade is not possible, temporarily disable the plugin’s administrative features or restrict access to the plugin’s endpoints to trusted IP addresses until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.11.0.
Title WordPress Barcode Scanner with Inventory & Order Manager plugin <= 1.11.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T13:18:00.172Z

Reserved: 2026-04-29T09:04:31.204Z

Link: CVE-2026-42645

cve-icon Vulnrichment

Updated: 2026-04-29T13:17:55.679Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T12:16:19.790

Modified: 2026-04-29T21:15:41.667

Link: CVE-2026-42645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses