CVE-2026-42645

Vulnerability

Overview

The Barcode Scanner with Inventory & Order Manager plugin for WordPress (versions up to and including 1.11.0) is affected by a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw originates from insufficient validation of requests made to the plugin's admin functionality, allowing an attacker to trick a logged-in administrator into performing unintended actions without their knowledge [1].

Exploitation

Details

Exploitation does not require any special network position; the attack is delivered via social engineering. An attacker must convince a privileged user (such as an administrator) to click a crafted link, visit a malicious page, or submit a specially designed form while authenticated to the WordPress site [1]. The vulnerability does not require any authentication on the attacker's part, only the victim's active session [1].

Impact

Successful exploitation could allow an attacker to force the privileged user to carry out unwanted actions under their current authentication, such as modifying plugin settings, deleting inventory data, or other administrative operations that the victim has permission to perform [1]. The CVSS v3 score is 4.3 (Medium), reflecting the requirement for user interaction and the potential for partial impact on integrity and availability [1].

Mitigation

The vendor has released version 1.12.0 which addresses the CSRF issue. Users are strongly advised to update to version 1.12.0 or later [1]. For sites using Patchstack, enabling auto-update for vulnerable plugins is recommended [1]. While the vulnerability is considered low severity, it may be targeted in mass-exploit campaigns if not patched [1].