WordPress Plugin Vulnerabilities

MultiLoca < 4.2.9 - Unauthenticated Arbitrary Options Update via 'wcmlim_settings_ajax_handler'

Description

The plugin is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

Plugin icon
WooCommerce-Multi-Locations-Inventory-Management
Fixed in 4.2.9

References

CVE
CVE-2025-9054
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a04e6ad-9365-4cb5-a0a0-82e047647d6b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Thái An
Verified
No
WPVDB ID
c332177a-9582-49a9-8565-ab8bf1b5222c

Timeline

Publicly Published
2025-09-23 (about 7 months ago)
Added
2025-09-23 (about 7 months ago)
Last Updated
2026-05-11 (about 2 days ago)

Other

Published
Title
Published
2026-02-16
Title
leadlovers forms <= 1.0.2 - Missing Authorization
Published
2026-01-14
Title
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.3 - Missing Authorization to Unauthenticated File Deletion
Published
2025-03-27
Title
WPC Smart Upsell Funnel for WooCommerce < 3.0.5 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-03-29
Title
Layouts for Elementor < 1.8 - Missing Authorization to Unauthenticated Arbitrary File Upload
Published
2025-06-19
Title
Giveaways and Contests by RafflePress < 1.12.19 - Missing Authorization