The WC Vendors plugin for WordPress is vulnerable to a Cross‑Site Request Forgery flaw (CWE‑352) that allows an unauthenticated attacker to delete vendor products. The flaw exists because the /vendor_dashboard/product/delete/ endpoint does not validate the required nonce, so a forged request can be accepted. If an attacker can convince a site administrator to click a crafted link or image, any vendor product can be removed, potentially causing loss of catalog items, revenue loss, and reputational damage.

All installations of the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin with version 2.6.4 or earlier are affected. The vulnerability is specific to the product deletion path on the vendor dashboard and applies to the WordPress site configured with this plugin.

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. The likely attack path requires the attacker to get an administrator or another privileged user to click a malicious link that triggers a delete request without a valid nonce. Because the request can be performed from a third‑party site, the core risk is the potential loss of vendor inventory and associated revenue. Mitigation is most effectively achieved by upgrading the plugin or implementing proper nonce validation.