MultiVendorX
Moderate fix1 remedy
cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.2.22
MultiVendorX WooCommerce Multivendor Marketplace Solutions Incorrect Authorization Vulnerability in WordPress
Vulnerability
Patched
A vulnerability exists in the MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress, in versions through 4.2.22. The issue arises from a misconfigured capability check in the 'delete_fpm_product' function, allowing authenticated attackers with Contributor-level access or higher to delete arbitrary posts, pages, attachments, and products. This vulnerability was partially addressed in version 4.2.22.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of posts, pages, attachments, and products by users with Contributor-level access or higher.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or above can send a request to the 'delete_fpm_product' AJAX action. This request must include the 'proid' parameter, which specifies the ID of the product or post to be deleted. The request will bypass the normal capability checks, allowing the user to delete the specified item.
Remediation
Users are advised to update the MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin to version 4.2.23 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
0.6exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.