WordPress Plugin Vulnerabilities

MultiVendorX < 4.0.26 - Improper Authorization on REST Routes via 'save_settings_permission'

Description

The MultiVendorX plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on the 'save_settings_permission' function for the REST routes instantiated by the 'mvx_rest_routes_react_module' function versions up to, and including, 4.0.25. This makes it possible for unauthenticated attackers to create, update, and delete vendors, retrieve sensitive information, and modify plugin settings.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.0.26

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/afd9046c-5b6a-411e-8e66-ff1ba60d7f9d

Miscellaneous

Verified
No
WPVDB ID
38572fcd-6070-4dbc-86ea-4a046dadee8e

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP Print Friendly <= 0.5.2 - Security Bypass
Published
2014-08-01
Title
NextGen Cu3er Gallery - Information Disclosure
Published
2014-08-01
Title
Blaze Slideshow 2.1 - Unspecified Security
Published
2014-08-01
Title
DejaVu 2.4 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download
Published
2025-02-03
Title
Real Estate Manager – Property Listing and Agent Management <= 7.3 - CAPTCHA Bypass