WordPress Plugin Vulnerabilities

MultiVendorX Marketplace < 4.0.26 - Missing Authorization

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check, allowing unauthenticated attackers to call a function that should be accessible to higher users only

Affects Plugins

Plugin icon
dc-woocommerce-multi-vendor
Fixed in 4.0.26

References

CVE
CVE-2024-24703
URL
https://patchstack.com/database/vulnerability/dc-woocommerce-multi-vendor/wordpress-multivendorx-plugin-4-1-1-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Le Ngoc Anh
Verified
No
WPVDB ID
f617c8ab-f693-4e3a-818b-6554ba24468f

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-13 (about 2 years ago)

Other

Published
Title
Published
2025-01-07
Title
1003 Mortgage Application <= 1.87 - Missing Authorization
Published
2023-11-07
Title
Easy Social Icons < 3.2.5 - Missing Authorization via cnss_save_ajax_order
Published
2025-06-30
Title
MobiLoud < 4.6.6.1 - Missing Authorization
Published
2025-12-17
Title
Watu Quiz < 3.4.5.1 - Missing Authorization
Published
2023-09-12
Title
WP User Control <= 1.5.3 - Unauthenticated password reset