{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2789", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-25T13:21:39.878Z", "datePublished": "2025-04-05T05:32:14.306Z", "dateUpdated": "2025-04-07T14:11:36.041Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-05T05:32:14.306Z"}, "affected": [{"vendor": "wcmp", "product": "MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.2.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations."}], "title": "MultiVendorX \u2013 The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.19 - Missing Authorization to Unauthenticated Table Rates Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf4eca37-066f-428c-a4f7-061ce06e1142?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L211"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-01-05T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2025-04-04T16:21:21.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T13:05:56.077387Z", "id": "CVE-2025-2789", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T14:11:36.041Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2789", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-07T13:05:56.077387Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T13:05:57.744Z"}}], "cna": {"title": "MultiVendorX \u2013 The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.19 - Missing Authorization to Unauthenticated Table Rates Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wcmp", "product": "MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-05T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-04-04T16:21:21.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf4eca37-066f-428c-a4f7-061ce06e1142?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L211"}], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-05T05:32:14.306Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2789", "state": "PUBLISHED", "dateUpdated": "2025-04-07T14:11:36.041Z", "dateReserved": "2025-03-25T13:21:39.878Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-05T05:32:14.306Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D2B495C3-4F9B-4B46-9BC1-49725D8422E0", "versionEndExcluding": "4.2.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations."}, {"lang": "es", "value": "El complemento MultiVendorX \u2013 Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace \u2013 Build the Next Amazon, eBay, Etsy para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n delete_table_rate_shipping_row en todas las versiones hasta la 4.2.19 incluida. Esto permite que atacantes no autenticados eliminen las tarifas de tabla, lo que puede afectar el c\u00e1lculo de los gastos de env\u00edo."}], "id": "CVE-2025-2789", "lastModified": "2025-06-04T22:26:48.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-05T06:15:39.477", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L211"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.19/packages/mvx-tablerate/mvx-tablerate.php#L78"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf4eca37-066f-428c-a4f7-061ce06e1142?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{}