WordPress Plugin Vulnerabilities

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.20 - Missing Authorization to Unauthenticated Table Rates Deletion

Description

The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.2.20

References

CVE
CVE-2025-2789
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf4eca37-066f-428c-a4f7-061ce06e1142

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brian Sans-Souci (liardom)
Verified
No
WPVDB ID
b2f365c0-833a-4ebb-8122-32c934f93805

Timeline

Publicly Published
2025-04-04 (about 1 year ago)
Added
2025-04-04 (about 1 year ago)
Last Updated
2025-04-05 (about 1 year ago)

Other

Published
Title
Published
2025-10-02
Title
Constructor <= 1.6.5 - Missing Authorization to Authenticated (Subscriber+) Theme Clean
Published
2025-05-16
Title
Pinterest Automatic Pin <= 4.19.0 - Missing Authorization
Published
2024-12-05
Title
AI Quiz | Quiz Maker <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2026-05-11
Title
Motors – Car Dealership & Classified Listings Plugin < 1.4.104 - Missing Authorization to Authenticated (Subscriber+) Payment Bypass via 'stm_payment_status' Parameter
Published
2025-10-08
Title
Rank Math SEO PRO < 3.0.97 - Missing Authorization