WordPress Plugin Vulnerabilities

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.5 - Missing Authorization to Forged Vendor Profile Deletion Email Sending

Description

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.2.5

References

CVE
CVE-2024-9531
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5af1063c-615e-4196-9fa6-960c008544c4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Tieu Pham Trong Nhan
Verified
No
WPVDB ID
18d5e057-efc0-4dff-b7e3-09ce463e569d

Timeline

Publicly Published
2024-10-23 (about 1 year ago)
Added
2024-10-29 (about 1 year ago)
Last Updated
2024-10-29 (about 1 year ago)

Other

Published
Title
Published
2026-02-28
Title
Payment Gateway Pix For GiveWP < 2.2.4 - Missing Authorization
Published
2024-12-19
Title
Userpro <= 5.1.9 - Missing Authorization
Published
2024-04-22
Title
Evergreen Content Poster < 1.4.3 - Missing Authorization
Published
2023-11-16
Title
Live Preview for Contact Form 7 <= 1.2.0 - Missing Authorization via update_option
Published
2025-11-11
Title
Booking Calendar | Appointment Booking | Bookit < 2.5.1 - Missing Authorization to Unauthenticated Stripe Connection