WordPress Plugin Vulnerabilities

WC Marketplace < 4.0.24 - Missing Authorization via mvx_save_dashpages

Description

The WC Marketplace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_save_dashpages' function in versions up to, and including, 4.0.23. This makes it possible for unauthenticated attackers to update the plugin's settings.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.0.24

References

CVE
CVE-2023-51355
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cdc0096-8e21-4b82-b9d0-961f48907a09

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
dfc80c97-5aed-46a5-80ed-1864555c4e76

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-03-31
Title
YayExtra < 1.5.3 - Missing Authorization
Published
2025-08-01
Title
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons < 1.7.1 - Missing Authorization to Unauthenticated Sticky Status Update
Published
2026-01-20
Title
Simply Schedule Appointments < 1.6.9.17 - Missing Authorization
Published
2024-09-16
Title
WooCommerce Multilingual & Multicurrency < 5.3.7 - Missing Authorization
Published
2026-03-03
Title
Seraphinite Accelerator < 2.28.15 - Missing Authorization to Authenticated (Subscriber+) Log Clearing