CVE-2024-8289

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.0 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover

Description

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.

INFO

Published Date :

2024-09-04T08:30:38.531Z

Last Modified :

2026-04-08T17:13:52.704Z

Source :

Wordfence

AFFECTED PRODUCTS

The following products are affected by CVE-2024-8289 vulnerability.

Vendors	Products
Multivendorx	Multivendorx

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-8289.

URL	Resource
https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L382
https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L641
https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.0/api/class-mvx-rest-vendors-controller.php#L705
https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-vendors-controller.php?rev=3145638
https://www.wordfence.com/threat-intel/vulnerabilities/id/a85fbaff-d566-4ed2-8943-c174e0c4d2d8?source=cve

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact