CVE-2025-49977
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress WP Inventory Manager plugin versions up to 2.3.4. It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent, potentially compromising the site's integrity. The vulnerability requires no authentication to exploit and is classified under OWASP Top 10 A1: Broken Access Control. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause authenticated users with higher privileges to unknowingly execute unwanted actions, which may compromise the integrity of your site. Although the severity is low and it is unlikely to be widely exploited, it still poses a risk to site control and security. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official patch or fixed version is currently available for this vulnerability, immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which auto-mitigates the vulnerability even without official fixes. Additionally, users should monitor for updates and consider implementing additional security measures to protect against exploitation. [1]