MultiVendorX plugin vulnerable to Cross-Site Request Forgery

CVE-2024-9943

6.3MEDIUM

Key Information

Vendor
Wcmp
Status
Multivendorx – The Ultimate WooCommerce Multivendor Marketplace Solution
Vendor
CVE Published:
24 October 2024

Summary

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Version(s)

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

wesley
.