SQL Injection Vulnerability in MultiVendorX Plugin for WooCommerce by WordPress
CVE-2026-12941

6.5MEDIUM

What is CVE-2026-12941?

The MultiVendorX plugin for WooCommerce contains a vulnerability that allows authenticated users, specifically those with subscriber-level access and higher, to exploit a SQL Injection flaw via the 'order_by' parameter. Due to improper handling of user-supplied input and a lack of adequate preparation for SQL queries, attackers can inject additional SQL commands. This can lead to unauthorized access and extraction of sensitive data from the database. The issue is particularly concerning when the store approval settings are configured to automatically approve store owner registrations, making it easy for any logged-in user to obtain the necessary permissions to manipulate transactions and access critical information.

Affected Version(s)

MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions 0 <= 5.0.9

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.