Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Stored XSS.This issue affects MultiVendorX: from n/a through <= 4.2.13.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation. An attacker can inject malicious script code into fields managed by the MultiVendorX plugin; the code is then rendered unsanitized in the web page, enabling Cross‑Site Scripting. If exploited, the attacker can hijack user sessions, steal cookies, deface the site, or track user activity. The flaw corresponds to CWE‑79, which focuses on inadequate input sanitization.

Affected Systems

All installations of the WordPress MultiVendorX plugin up to and including version 4.2.13 are affected. No other plugin versions or products are listed as impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. The EPSS score of less than 1% shows a low likelihood of active exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit data to the plugin’s input fields, typically through the site’s administrative or vendor interfaces. Once injected, the malicious payload persists on the site and can affect any user who views the affected page.

Generated by OpenCVE AI on May 2, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest released version of the MultiVendorX plugin, ensuring all known security fixes are applied.
  • If an update cannot be applied immediately, sanitize all user‑supplied input in the plugin or temporarily disable the fields that accept untrusted data.
  • Ensure that WordPress core and other plugins are kept current, and consider deploying a web application firewall that blocks suspicious script payloads.

Generated by OpenCVE AI on May 2, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3898 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS. This issue affects WC Marketplace: from n/a through 4.2.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS. This issue affects WC Marketplace: from n/a through 4.2.13. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Stored XSS.This issue affects MultiVendorX: from n/a through <= 4.2.13.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS. This issue affects WC Marketplace: from n/a through 4.2.13.
Title WordPress MultiVendorX plugin <= 4.2.13 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Multivendorx Wc Marketplace
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:32.729Z

Reserved: 2025-01-23T14:52:31.176Z

Link: CVE-2025-24706

cve-icon Vulnrichment

Updated: 2025-01-24T18:39:15.322Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:44.003

Modified: 2026-04-23T15:25:20.097

Link: CVE-2025-24706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses