Login Sign Up

CVE-2021-34619

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in WooCommerce Stock Manager WordPress plugin allows attackers to trick authenticated administrators into uploading arbitrary files, potentially leading to remote code execution. It affects WordPress sites using the plugin up to version 2.5.7. Attackers can exploit this without direct access to the vulnerable system.

💻 Affected Systems

Products:
  • WooCommerce Stock Manager WordPress Plugin
Versions: All versions up to and including 2.5.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires plugin activation and administrator access to trigger the vulnerability via CSRF

📦 What is this software?

Stock Manager For Woocommerce by Storeapps

View all CVEs affecting Stock Manager For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise via webshell upload leading to data theft, defacement, or ransomware deployment

🟠

Likely Case

Malicious file upload enabling backdoor access, data exfiltration, or cryptocurrency mining

🟢

If Mitigated

Failed exploitation attempts logged with no impact due to proper CSRF protections

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated admin into clicking malicious link/visiting crafted page

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.8 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2499178/woocommerce-stock-manager/trunk/admin/views/import-export.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WooCommerce Stock Manager
4. Click 'Update Now' if available
5. If manual update needed, download version 2.5.8+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable vulnerable plugin until patched

wp plugin deactivate woocommerce-stock-manager

Add CSRF Protection

all

Add nonce verification to vulnerable file via custom code

Edit /wp-content/plugins/woocommerce-stock-manager/admin/views/import-export.php to add wp_verify_nonce() checks

🧯 If You Can't Patch

  • Implement strict file upload restrictions via .htaccess or web server configuration
  • Use web application firewall with CSRF protection and file upload filtering

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get woocommerce-stock-manager --field=version

Verify Fix Applied:

Verify version is 2.5.8 or higher and check import-export.php contains nonce verification

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin.php?page=import-export without valid nonce
  • Unexpected file uploads to wp-content/uploads via stock manager

Network Indicators:

  • HTTP requests with file uploads to import-export endpoint from unexpected sources

SIEM Query:

source="wordpress.log" AND ("import-export.php" OR "stock-manager") AND ("POST" OR "upload")

📊 Metadata

CVE ID: CVE-2021-34619
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34619, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)