Lucene search

PRIOn knowledge basePRION:CVE-2022-2518

HistorySep 06, 2022 - 6:15 p.m.

Cross site request forgery (csrf)

2022-09-0618:15:00

PRIOn knowledge base

www.prio-n.com

cross-site request forgery

missing nonce validation

unauthenticated attackers

plugin settings

malicious web scripts

forged request

site administrator

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON

The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CPENameOperatorVersion
stockists_manager_for_woocommercele1.0.2.1

CPE	Name	Operator	Version
	stockists_manager_for_woocommerce	le	1.0.2.1

References

plugins.trac.wordpress.org/browser/stockists-manager/trunk/stockist_settings.php

wordpress.org/plugins/stockists-manager/

www.wordfence.com/threat-intel/vulnerabilities/id/5b5e0204-4a05-45c1-833a-c2e4016d9830?source=cve

www.wordfence.com/vulnerability-advisories/