CVE-2022-3451

CVE-2022-3451: Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls

Vendor Unknown

Product Product Stock Manager

Weakness CWE-862 · Missing authorization

Published November 7, 2022

Last update May 1, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options

Key dates

02Disclosure timeline

November 7, 2022 CVE published

May 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-3451 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2023-2353 CHP Ads Block Detector <= 3.9.4 - Missing Authorization to Plugin Settings Update CVE-2026-4292 Privilege abuse in ModelAdmin.list_editable CVE-2023-0402 Social Warfare <= 4.3.0 - Missing Authorization CVE-2025-14441 Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion CVE-2025-7782 WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'