WordPress Plugin Vulnerabilities

WooCommerce Multivendor Marketplace – REST API < 1.6.0 - Subscriber+ Arbitrary Orders Item And Notes Update

Description

The plugin does not properly implement capability checks on the 'get_item', 'get_order_notes', and 'add_order_note' functions, leading to potential unauthorized access and addition of those items by authenticated users with subscriber privileges or above.

Affects Plugins

Plugin icon
wcfm-marketplace-rest-api
Fixed in 1.6.0

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
fd2fe5e4-5859-4c8d-98e6-641d69e42890

Timeline

Publicly Published
2023-04-26 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2021-11-15
Title
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
Published
2025-11-18
Title
SiteSEO – SEO Simplified < 1.3.3 - Authenticated Settings Reset
Published
2025-07-30
Title
HT Mega – Absolute Addons For Elementor < 2.9.2 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions
Published
2023-11-28
Title
WCMultiShipping < 2.3.8 - Subscriber+ Arbitrary Account Credentials Test
Published
2025-05-16
Title
MultiVendorX – WooCommerce Multivendor Marketplace Solutions < 4.2.23 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion