CVE-2024-8289: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.0 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover
First published: Wed Sep 04 2024(Updated: )
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MultiVendorX | <4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a85fbaff-d566-4ed2-8943-c174e0c4d2d8?source=cve
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L705
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L641
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L382
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-vendors-controller.php?rev=3145638
Frequently Asked Questions
What is the severity of CVE-2024-8289?
CVE-2024-8289 has been classified as a high severity vulnerability that allows for privilege escalation and account takeover.
How do I fix CVE-2024-8289?
To fix CVE-2024-8289, update the MultiVendorX plugin to version 4.2.1 or later where the vulnerability has been patched.
What are the potential impacts of CVE-2024-8289?
The potential impacts of CVE-2024-8289 include unauthorized access to user accounts and administrative functions within the MultiVendorX plugin.
Which versions of MultiVendorX are affected by CVE-2024-8289?
CVE-2024-8289 affects all versions of MultiVendorX up to version 4.2.1.
Who is vulnerable to CVE-2024-8289?
Any WordPress site using the MultiVendorX plugin versions prior to 4.2.1 is vulnerable to CVE-2024-8289.
- agent/references
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/severity
- agent/author
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/multivendorx
- canonical/multivendorx