WordPress Plugin Vulnerabilities

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.1 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover

Description

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.2.1

References

CVE
CVE-2024-8289
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a85fbaff-d566-4ed2-8943-c174e0c4d2d8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
714e85f3-b280-44b3-9ef3-21b5cd6f4b48

Timeline

Publicly Published
2024-09-03 (about 1 year ago)
Added
2024-09-03 (about 1 year ago)
Last Updated
2024-09-04 (about 1 year ago)

Other

Published
Title
Published
2026-02-09
Title
Travel Booking < 1.4.0 - Missing Authorization
Published
2025-07-14
Title
Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.5 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
Published
2023-12-27
Title
WooCommerce Easy Duplicate Product < 0.3.0.8 - Missing Authorization via wedp_duplicate_product_action
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Published
2025-09-22
Title
Hide WP Toolbar <= 2.7 - Missing Authorization