[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBGh_cYpuX32S2t6Mg1P6Y7ZBJpgxd55F-v6O-qp0q4Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24365","stock-manager-for-woocommerce-cross-site-request-forgery-2","Stock Manager for WooCommerce \u003C 3.6.0 - Cross-Site Request Forgery","The Stock Manager for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 3.6.0 (exclusive). This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","woocommerce-stock-manager",null,"\u003C3.6.0","3.6.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-01-09 00:00:00","2026-02-03 20:53:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc923e7ca-355c-4007-9fa3-3ca27055d0f3?source=api-prod",26,[22,23,24,25,26,27,28,29],"admin\u002Fclass-stock-manager-admin.php","admin\u002Fincludes\u002Fclass-wsm-in-app-pricing.php","admin\u002Fincludes\u002Fclass-wsm-save.php","admin\u002Fincludes\u002Fclass-wsm-stock.php","admin\u002Fviews\u002Fadmin.php","admin\u002Fviews\u002Fimport-export.php","admin\u002Fviews\u002Flog-history.php","languages\u002Fwoocommerce-stock-manager.pot","researched",false,3,"# Exploitation Research Plan: CVE-2026-24365 (Stock Manager for WooCommerce CSRF)\n\n## 1. Vulnerability Summary\nThe **Stock Manager for WooCommerce** plugin (versions \u003C 3.6.0) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the plugin's administration logic where it processes product updates. Specifically, the file `admin\u002Fviews\u002Fadmin.php` handles `$_POST` data to update product attributes (prices, stock, SKUs) without any nonce validation. An attacker can trick a logged-in administrator or shop manager into submitting a crafted POST request, leading to unauthorized modification of store inventory data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=stock-manager`\n- **Method**: POST\n- **Vulnerable Hook**: The code is triggered during the rendering of the `stock-manager` admin page, which occurs when `admin\u002Fviews\u002Fadmin.php` is included.\n- **Authentication Required**: Administrator or Shop Manager (anyone with access to the Stock Manager menu).\n- **Impact**: Change product prices, stock status, stock quantities, and SKUs across the entire store.\n\n## 3. Code Flow\n1.  When an admin navigates to the \"Stock Manager\" page, WordPress loads the registered menu page.\n2.  The plugin's main class `Stock_Manager_Admin` (in `admin\u002Fclass-stock-manager-admin.php`) manages the page rendering.\n3.  The file `admin\u002Fviews\u002Fadmin.php` is included to render the interface.\n4.  At the beginning of `admin\u002Fviews\u002Fadmin.php` (lines 14-20), the following logic executes:\n    ```php\n    $product_id = ( ! empty( $_POST['product_id'] ) ) ? wc_clean( wp_unslash( $_POST['product_id'] ) ) : 0;\n    $product    = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array();\n    if ( ! empty( $product_id ) ) {\n        $stock->save_all( $product );\n    }\n    ```\n5.  `$stock` is an instance of `WSM_Stock`. The method `save_all` (in `admin\u002Fincludes\u002Fclass-wsm-stock.php`) is called:\n    ```php\n    public function save_all( $data ) {\n        $post = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array();\n        foreach ( $data['product_id'] as $item ) {\n            WSM_Save::save_one_item( $post, $item );\n        }\n    }\n    ```\n6.  `WSM_Save::save_one_item` calls `save_data`, which uses WooCommerce CRUD methods (e.g., `$_product->set_regular_price()`, `$_product->save()`) to commit changes to the database.\n7.  **Critical Failure**: There is no call to `check_admin_referer()` or `wp_verify_nonce()` before the `save_all` call.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is characterized by the **complete absence** of a nonce check for the product update action in `admin\u002Fviews\u002Fadmin.php`. Therefore, no nonce acquisition is required to exploit this specific vector.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can force an admin to change a product's price to `0.01` and its SKU to `PWNED`.\n\n**Step-by-Step Plan:**\n1.  **Identify Target Product**: Find a valid product ID (e.g., ID `123`).\n2.  **Craft POST Request**: The request must target the admin page URL and include the `product_id` array along with the fields to be modified.\n3.  **Execute via Admin Session**: Use the `http_request` tool (simulating a victim admin session) to send the payload.\n\n**Request Details:**\n- **URL**: `http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=stock-manager`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `product_id[]`: `123` (The ID of the target product)\n    - `regular_price`: `0.01`\n    - `sku`: `PWNED-SKU`\n    - `manage_stock`: `yes`\n    - `stock`: `9999`\n\n## 6. Test Data Setup\n1.  Ensure **WooCommerce** is installed and configured.\n2.  Install **Stock Manager for WooCommerce** version 3.5.0 or lower.\n3.  Create a test product:\n    ```bash\n    wp eval '\n    $product = new WC_Product_Simple();\n    $product->set_name(\"Target Product\");\n    $product->set_regular_price(\"100.00\");\n    $product->set_sku(\"ORIGINAL-SKU\");\n    $product->save();\n    echo $product->get_id();\n    '\n    ```\n4.  Identify the ID returned by the command above.\n\n## 7. Expected Results\n- The server should respond with a `200 OK` (as it continues to render the admin page).\n- The product with the specified ID will have its price updated to `0.01` and SKU updated to `PWNED-SKU`.\n\n## 8. Verification Steps\nAfter the `http_request`, verify the change using WP-CLI:\n```bash\n# Check price and SKU\nwp eval '\n$product = wc_get_product(TARGET_ID);\nprintf(\"SKU: %s, Price: %s\\n\", $product->get_sku(), $product->get_regular_price());\n'\n```\nSuccessful exploitation will show: `SKU: PWNED-SKU, Price: 0.01`.\n\n## 9. Alternative Approaches\nThe file `admin\u002Fviews\u002Fadmin.php` also contains another unprotected action:\n- **Action**: `save_filter_display`\n- **Parameter**: `page-filter-display`\n- **Impact**: Modifies the `wsm_display_option` WordPress option, allowing an attacker to change which columns (thumbnails, prices, weight) are visible to the administrator in the plugin's dashboard.\n\n**Request for Alternative:**\n- **URL**: `http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=stock-manager`\n- **Body**: `page-filter-display=1&price=no&weight=no`\n- **Verification**: `wp option get wsm_display_option`","The Stock Manager for WooCommerce plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 3.6.0. The administration logic responsible for updating product attributes and display options fails to perform nonce validation, allowing attackers to modify store inventory data (prices, SKUs, stock levels) by tricking a logged-in administrator into visiting a malicious link.","\u002F\u002F admin\u002Fviews\u002Fadmin.php lines 16-32\n$product_id = ( ! empty( $_POST['product_id'] ) ) ? wc_clean( wp_unslash( $_POST['product_id'] ) ) : 0; \u002F\u002F phpcs:ignore\n$product    = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array(); \u002F\u002F phpcs:ignore\nif ( ! empty( $product_id ) ) {\n\t$stock->save_all( $product );\n\t\u002F\u002F add redirect.\n}\n\n\u002F**\n * Save display option.\n *\u002F\n$page_filter_display = ( ! empty( $_POST['page-filter-display'] ) ) ? wc_clean( wp_unslash( $_POST['page-filter-display'] ) ) : ''; \u002F\u002F phpcs:ignore\nif ( ! empty( $page_filter_display ) ) {\n\t$stock->save_filter_display( $product );\n}\n\n---\n\n\u002F\u002F admin\u002Fincludes\u002Fclass-wsm-stock.php lines 206-213\n\tpublic function save_all( $data ) {\n\t\t$post = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array(); \u002F\u002F phpcs:ignore\n\t\tforeach ( $data['product_id'] as $item ) {\n\t\t\tWSM_Save::save_one_item( $post, $item );\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fclass-stock-manager-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fclass-stock-manager-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fclass-stock-manager-admin.php\t2025-11-13 12:15:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fclass-stock-manager-admin.php\t2026-01-07 13:43:04.000000000 +0000\n@@ -134,7 +134,7 @@\n \t\t\t\t\t\t\t\t'hide_empty' => false,\n \t\t\t\t\t\t\t)\n \t\t\t\t\t\t),\n-\t\t\t\t\t\tfunction( $carry, $item ) {\n+\t\t\t\t\t\tfunction ( $carry, $item ) {\n \t\t\t\t\t\t\t$carry[ $item->term_id ] = html_entity_decode( $item->name );\n \t\t\t\t\t\t\treturn $carry;\n \t\t\t\t\t\t},\n@@ -151,7 +151,7 @@\n \t\t\t\t\t\t\t\t\t'hide_empty' => false,\n \t\t\t\t\t\t\t\t)\n \t\t\t\t\t\t\t),\n-\t\t\t\t\t\t\tfunction( $carry, $item ) {\n+\t\t\t\t\t\t\tfunction ( $carry, $item ) {\n \t\t\t\t\t\t\t\t$carry[ $item->slug ] = $item->name;\n \t\t\t\t\t\t\t\treturn $carry;\n \t\t\t\t\t\t\t},\n@@ -280,7 +280,7 @@\n \t\t\u002F\u002F Show screen option for React App.\n \t\tadd_action(\n \t\t\t'load-' . $hook,\n-\t\t\tfunction() {\n+\t\t\tfunction () {\n \t\t\t\tadd_filter(\n \t\t\t\t\t'screen_options_show_screen',\n \t\t\t\t\tfunction () {\n@@ -462,7 +462,6 @@\n \t\t}\n \n \t\treturn $wsm_rating_text;\n-\n \t}\n \n \t\u002F**\n@@ -489,7 +488,6 @@\n \t\t}\n \n \t\treturn $wsm_text;\n-\n \t}\n \n \t\u002F**\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fincludes\u002Fclass-wsm-stock.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fincludes\u002Fclass-wsm-stock.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fincludes\u002Fclass-wsm-stock.php\t2021-10-15 08:13:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fincludes\u002Fclass-wsm-stock.php\t2026-01-07 13:43:04.000000000 +0000\n@@ -203,18 +200,6 @@\n \t}\n \n \t\u002F**\n-\t * Save all meta data.\n-\t -\n-\t * @param array $data The column key to name map.\n-\t *\u002F\n-\tpublic function save_all( $data ) {\n-\t\t$post = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array(); \u002F\u002F phpcs:ignore\n-\t\tforeach ( $data['product_id'] as $item ) {\n-\t\t\tWSM_Save::save_one_item( $post, $item );\n-\t\t}\n-\t}\n-\n-\t\u002F**\n \t * Save all meta data\n \t *\n \t * @param array $data The column display data.\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fviews\u002Fadmin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fviews\u002Fadmin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.5.0\u002Fadmin\u002Fviews\u002Fadmin.php\t2025-04-25 07:25:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoocommerce-stock-manager\u002F3.6.0\u002Fadmin\u002Fviews\u002Fadmin.php\t2026-01-07 13:43:04.000000000 +0000\n@@ -13,23 +13,6 @@\n \texit;\n }\n \n-$stock = $this->stock();\n-\n-\u002F**\n- * Save all data.\n- *\u002F\n-$product_id = ( ! empty( $_POST['product_id'] ) ) ? wc_clean( wp_unslash( $_POST['product_id'] ) ) : 0; \u002F\u002F phpcs:ignore\n-$product    = ( ! empty( $_POST ) ) ? wc_clean( wp_unslash( $_POST ) ) : array(); \u002F\u002F phpcs:ignore\n-if ( ! empty( $product_id ) ) {\n-\t$stock->save_all( $product );\n-\t\u002F\u002F add redirect.\n-}\n-\n-\u002F**\n- * Save display option.\n- *\u002F\n-$page_filter_display = ( ! empty( $_POST['page-filter-display'] ) ) ? wc_clean( wp_unslash( $_POST['page-filter-display'] ) ) : ''; \u002F\u002F phpcs:ignore\n-if ( ! empty( $page_filter_display ) ) {\n-\t$stock->save_filter_display( $product );\n-}\n-\n ?>\n \u003Cdiv class=\"wrap\">\n \t\u003Ch2>\u003C?php echo esc_html( get_admin_page_title() ); ?>\u003C\u002Fh2>","To exploit this CSRF vulnerability, an attacker must craft a POST request targeting the `\u002Fwp-admin\u002Fadmin.php?page=stock-manager` endpoint. The request payload must include an array of target product IDs in the `product_id[]` parameter, along with the desired attributes to change (e.g., `regular_price`, `sku`, `stock`, `manage_stock`). Since the plugin does not verify nonces during the processing of this request in `admin\u002Fviews\u002Fadmin.php`, the attacker can use social engineering to trick a logged-in administrator or shop manager into executing the request. Successful execution allows for unauthorized modification of product prices and inventory levels.","gemini-3-flash-preview","2026-05-05 13:05:01","2026-05-05 13:05:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-stock-manager\u002Ftags\u002F3.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-stock-manager.3.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-stock-manager\u002Ftags\u002F3.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-stock-manager.3.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-stock-manager\u002Ftags"]