SQL Injection Vulnerability in MultiVendorX Plugin for WooCommerce by WordPress
CVE-2026-12941
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-12941?
The MultiVendorX plugin for WooCommerce contains a vulnerability that allows authenticated users, specifically those with subscriber-level access and higher, to exploit a SQL Injection flaw via the 'order_by' parameter. Due to improper handling of user-supplied input and a lack of adequate preparation for SQL queries, attackers can inject additional SQL commands. This can lead to unauthorized access and extraction of sensitive data from the database. The issue is particularly concerning when the store approval settings are configured to automatically approve store owner registrations, making it easy for any logged-in user to obtain the necessary permissions to manipulate transactions and access critical information.
Affected Version(s)
MultiVendorX β WooCommerce Multivendor Marketplace AI Powered Solutions 0 <= 5.0.9