When using WooCommerce you introduce an additional security risk due to the fact that WooCommerce allows the creation of WordPress accounts by customers by default. That is a security risk because many of the security vulnerabilities we are seeing found by others and found by us these days involve something that is only exploitable by logged in users. With that risk you would hope that developers of plugin that interact with WooCommerce would be careful to avoid that type of issue, but when we decided to start doing some checks over WooCommerce related plugins we immediately spotted just such an issue.

The WooCommerce Stock Manager plugin allows you to “manage stock for products and their variables from one screen”. Changes from that page are made through the AJAX accessible function stock_manager_save_one_product_stock_data(), in the file /woocommerce-stock-manager.php. AJAX accessible functions are normally available to any logged in users, so if, as is the case here, it only intended to accessible to certain sub set of logged in users you need to put in a check to make sure that it is only accessible to them. That was not done with this plugin, as of version 1.0.7: [Read more]