CVE-2022-2518 in Stockists Manager for Woocommerce Plugin
Summary
by MITRE • 09/06/2022
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/08/2026
The vulnerability identified in CVE-2022-2518 affects the Stockists Manager for Woocommerce plugin, a widely used WordPress extension that enables businesses to manage and display store locations. This plugin operates within the WordPress ecosystem and provides administrative functionality for configuring location-based services. The vulnerability stems from insufficient security controls within the plugin's codebase, specifically within the stockist_settings_main() function that handles administrative settings modifications. The flaw represents a critical security gap that undermines the integrity of the plugin's administrative interface and exposes WordPress sites running vulnerable versions to potential compromise.
The technical flaw manifests as a missing nonce validation mechanism within the plugin's settings handler function. Nonces, or numbers used once, serve as critical security tokens that verify the authenticity of administrative actions within WordPress. When this validation is absent, attackers can craft malicious requests that appear to originate from legitimate administrative sessions. The vulnerability specifically affects versions up to and including 1.0.2.1, indicating that the developers failed to implement proper request verification mechanisms during the plugin's development lifecycle. This absence of nonce validation creates a persistent attack vector that remains exploitable as long as vulnerable versions remain installed on WordPress sites.
The operational impact of this CSRF vulnerability extends beyond simple data manipulation to potentially enable full administrative compromise of affected WordPress installations. Unauthenticated attackers can leverage this weakness to inject malicious web scripts into the plugin's settings, potentially creating backdoors or redirecting users to malicious sites. The attack requires social engineering elements to trick administrators into clicking malicious links, but once successful, the consequences can be severe. Attackers could modify critical plugin settings, inject malicious code that persists across user sessions, or establish persistent access points within the compromised WordPress environment. This vulnerability directly aligns with CWE-352, which categorizes Cross-Site Request Forgery as a weakness where applications fail to validate that requests originate from legitimate sources.
The security implications of this vulnerability place it within the ATT&CK framework's privilege escalation and persistence domains. Attackers can exploit this weakness to gain administrative privileges within the WordPress environment, potentially leading to complete site compromise. The vulnerability affects the plugin's integrity and confidentiality, as attackers can modify settings without proper authorization while also potentially compromising user data through malicious script injection. The attack vector relies on user interaction, making it particularly dangerous in environments where administrators frequently click on links from untrusted sources. This makes the vulnerability particularly concerning for e-commerce sites that rely on the Stockists Manager plugin for business operations.
Mitigation strategies for this vulnerability require immediate action from site administrators to upgrade to patched versions of the plugin. The developers should implement proper nonce validation within the stockist_settings_main() function to ensure all administrative requests undergo proper authentication checks. Site administrators must also conduct thorough security audits of their WordPress installations to identify other potentially vulnerable plugins or themes. Additional protective measures include implementing web application firewalls, monitoring for suspicious administrative activities, and educating site administrators about social engineering threats. Regular security updates and patch management processes should be prioritized to prevent similar vulnerabilities from arising in the future. Organizations should also consider implementing security monitoring tools that can detect unauthorized administrative changes to WordPress plugins and themes.