Access Control Flaw in MultiVendorX Plugin by WordPress
CVE-2025-49916

8.6HIGH

Key Information:

Vendor: WordPress
Status: Multivendorx
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-49916?

The MultiVendorX plugin for WordPress contains a missing authorization issue that allows users to access functionality that should be restricted. This vulnerability primarily affects versions of the plugin up to and including 4.2.23, enabling unauthorized users to bypass access control lists (ACLs) and potentially exploit the affected website. It is crucial for website administrators to update to the latest version and apply necessary security measures to mitigate this risk.

Affected Version(s)

MultiVendorX <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/dc-w...

vdb-entry

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Jun 11, 2025

Credit

Mika (Patchstack Alliance)

JSON