The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
History

Thu, 05 Sep 2024 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*

Wed, 04 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Multivendorx
Multivendorx multivendorx
CPEs cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:*:*:*
Vendors & Products Multivendorx
Multivendorx multivendorx
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 04 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
Description The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
Title MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.0 - Missing Authorization to Limited Vendor Privilege Escalation/Account Takeover
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-04T08:30:38.531Z

Updated: 2024-09-04T14:08:02.811Z

Reserved: 2024-08-28T20:08:09.803Z

Link: CVE-2024-8289

cve-icon Vulnrichment

Updated: 2024-09-04T14:07:56.579Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-04T09:15:04.977

Modified: 2024-09-05T17:41:58.350

Link: CVE-2024-8289

cve-icon Redhat

No data.