Ultimate Multivendor Marketplace Plugin Vulnerable to Privilege Escalation and Account Takeover
CVE-2024-8289
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 4 September 2024
Badges
Summary
The MultiVendorX plugin for WordPress enables users to manage multi-vendor marketplaces but suffers from vulnerabilities that allow for privilege escalation and account takeover. Specifically, insufficient capability checks in the update_item_permissions_check and create_item_permissions_check functions enable unauthenticated attackers to manipulate user accounts. Attackers can change the passwords of any user with a vendor role, create new users with vendor privileges, and demote existing users, including administrators, to the vendor role. This behavior presents a significant security risk for all users of the plugin prior to version 4.2.0.
Affected Version(s)
MultiVendorX β The Ultimate WooCommerce Multivendor Marketplace Solution * <= 4.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
17% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved