The plugin does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack
Send a payload to logged-in admins with a request to http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpim_manage_inventory_items&action;=delete&delete;_id=2
CPE | Name | Operator | Version |
---|---|---|---|
wp-inventory-manager | lt | 2.1.0.14 |