WordPress Plugin Vulnerabilities

MultiVendorX < 4.2.24 - Missing Authorization

Description

The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.23. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.2.24

References

CVE
CVE-2025-49916
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ba9b2d34-c1a3-47c2-9eee-51592faa8805

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Kévin Mosbahi (Mika)
Verified
No
WPVDB ID
f237364f-9aae-4d4b-9e6c-7fd98ac9afa5

Timeline

Publicly Published
2025-06-12 (about 1 year ago)
Added
2025-12-11 (about 6 months ago)
Last Updated
2025-12-11 (about 6 months ago)

Other

Published
Title
Published
2022-01-31
Title
Better Notifications for WP < 1.8.7 - Email Address Disclosure
Published
2022-11-17
Title
WooSwipe WooCommerce Gallery < 3.0.0 - Subscriber+ Settings Update
Published
2026-02-04
Title
Addonify – WooCommerce Wishlist < 2.0.16 - Missing Authorization to Unauthenticated Settings Update
Published
2026-05-26
Title
Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing <= 1.6.6 - Missing Authorization
Published
2024-08-07
Title
Masteriyo - LMS < 1.11.5 - Missing Authorization