Missing Authorization Vulnerability in WCFM Marketplace by WC Lovers
CVE-2025-64631

5MEDIUM

Key Information:

Vendor: WordPress
Status: Wcfm Marketplace
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-64631?

A missing authorization vulnerability exists in the WCFM Marketplace (wc-multivendor-marketplace) plugin, allowing for incorrect configuration of access control security levels. This flaw can be exploited by attackers to gain unauthorized access to restricted areas, affecting installations of WCFM Marketplace up to version 3.6.15. Administrators are advised to check their access control settings and upgrade to the latest version to mitigate potential risks.

Affected Version(s)

WCFM Marketplace 0 <= 3.7.1

References

https://patchstack.com/database/Wordpress/Plugin/wc-multi...

vdb-entry

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Nov 6, 2025

Credit

benzdeus | Patchstack Bug Bounty Program

CVE-2025-64631 Data

JSON

WordPress

What is CVE-2025-64631?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit