CVE-2025-49977

The WP Inventory Manager plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions through 2.3.4. The root cause is a lack of CSRF token validation on state-changing requests, enabling an attacker to craft malicious links or forms that, when visited by a privileged user, execute unintended actions under that user's authentication [1].

Exploitation does not require prior authentication for the attacker, but depends on tricking a logged-in user (e.g., an administrator) into clicking a crafted link or submitting a malicious form. No additional privileges beyond the target user's session are needed, making the attack surface broad across any site using the vulnerable plugin [1].

Successful CSRF exploitation allows an attacker to perform any action the targeted user can, including modifying plugin settings, deleting inventory data, or creating unauthorized changes. The impact is limited by the privileges of the victim user but can lead to partial loss of data integrity and availability [1].

The plugin vendor has released version 2.3.5 which fixes the vulnerability. Users are advised to update immediately or enable auto-updates for the plugin. While the severity is rated medium (CVSS 4.3), the vulnerability is part of documented mass-exploit patterns, so prompt mitigation is recommended [1].