Unauthorized Data Deletion in MultiVendorX WooCommerce Plugin for WordPress
CVE-2025-2789

5.3MEDIUM

What is CVE-2025-2789?

The MultiVendorX plugin for WooCommerce contains a vulnerability that permits unauthorized users to delete critical shipping rate data due to a missing capability check in the delete_table_rate_shipping_row function. This oversight can negatively affect shipping calculations, leading to possible disruptions in order processing and fulfillment for eCommerce platforms utilizing this plugin. Affected versions are up to and including 4.2.19.

Affected Version(s)

MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy * <= 4.2.19

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Brian Sans-Souci
.