WordPress Plugin Vulnerabilities

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.15 - Unauthenticated Limited Local File Inclusion

Description

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.2.15

References

CVE
CVE-2025-0493
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/812029d9-95d6-4bc9-98b2-700f462163b3

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
47e8b6d1-fe53-48b0-bcdd-6e3f4e77cf38

Timeline

Publicly Published
2025-01-30 (about 1 year ago)
Added
2025-01-30 (about 1 year ago)
Last Updated
2025-01-31 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
Page Flip Image Gallery <= 0.2.2 - Remote FD Vuln
Published
2024-06-06
Title
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download
Published
2014-08-01
Title
wp-amasin-the-amazon-affiliate-shop 0.9.6 - reviews.php url Parameter Local File Inclusion
Published
2025-01-06
Title
MIPL WC Multisite Sync < 1.1.6 - Unauthenticated Arbitrary File Download
Published
2025-04-23
Title
WPMasterToolKit (WPMTK) – All in one plugin < 2.6.0 - Authenticated (Administrator+) to Arbitrary File Read and Write