Description
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
Published: 2025-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Shipping Table Rates
Action: Apply Patch
AI Analysis

Impact

The supplier’s WooCommerce Multivendor Marketplace plugin contains a missing capability check in the delete_table_rate_shipping_row function, allowing anyone who can send a request to the site to delete shipping table rates. Removing these records alters the calculation of shipping costs, potentially leading to incorrect charges, refunds, or denied shipments. The vulnerability is a classic missing authorization flaw (CWE‑862).

Affected Systems

Any installation of the MultiVendorX plugin on a WordPress site running version 4.2.19 or earlier is vulnerable. The flaw exists across all builds up to that release and affects any store that relies on custom table rates for shipping.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS value of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Attacks would require unauthenticated access to the WordPress installation and the ability to trigger the delete_table_rate_shipping_row endpoint, which can be achieved by forming an HTTP request to the plugin’s handler. Once exploited, the attacker can erase multiple table entries, destabilizing shipping logic and causing financial or service disruptions.

Generated by OpenCVE AI on April 20, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MultiVendorX plugin to the latest released version that includes the authorization check for delete operations.
  • If an upgrade is not immediately possible, restrict unauthenticated access to the delete_table_rate_shipping_row handler by implementing URL‑based access controls or by configuring the web server to require authentication for that endpoint.
  • If the plugin is not critical to site operation, consider temporarily disabling it or removing the table rates feature until a confirmed patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9911 The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
History

Wed, 04 Jun 2025 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Multivendorx
Multivendorx multivendorx
CPEs cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*
Vendors & Products Multivendorx
Multivendorx multivendorx

Mon, 07 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 05 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
Title MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.19 - Missing Authorization to Unauthenticated Table Rates Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Multivendorx Multivendorx
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:26.104Z

Reserved: 2025-03-25T13:21:39.878Z

Link: CVE-2025-2789

cve-icon Vulnrichment

Updated: 2025-04-07T13:05:57.744Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-05T06:15:39.477

Modified: 2025-06-04T22:26:48.120

Link: CVE-2025-2789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses