Description
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
Published: 2025-05-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary post, page, attachment, and product deletion by authenticated users with Contributor-level access
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a misconfigured capability check on the delete_fpm_product function, allowing any authenticated user with Contributor permissions or higher to delete arbitrary posts, pages, attachments, and products. This results in unintended data loss and potential disruption of the marketplace’s content integrity. The weakness maps to CWE‑863, an improper authorization flaw that compromises the integrity of stored data. The impact is limited to data loss rather than system compromise, but it can undermine user trust and content consistency.

Affected Systems

WordPress sites running the MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin in versions up to and including 4.2.22 are affected. The vendor identified as wcmp:MultiVendorX delivers the plugin, which integrates tightly with WooCommerce and operates as a standard WordPress plugin. Users of these plugin versions on any WordPress installation without the fixed capability check are vulnerable.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate risk level, while the EPSS score is below 1%, suggesting a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated and belong to the Contributor role or higher; the exploitation path involves invoking the delete_fpm_product function via the plugin’s AJAX endpoint or admin interface. Because the flaw is limited to content deletion, attackers can cause data loss and service disruption but cannot gain broader system control.

Generated by OpenCVE AI on April 21, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MultiVendorX plugin to version 4.2.22 or later to implement the corrected capability check
  • Adjust Contributor‑level role capabilities to remove or restrict the ability to delete posts, pages, attachments, or products for users who do not require this permission
  • Monitor site logs for unexpected deletion activity from Contributor accounts and enforce stricter role boundaries if necessary

Generated by OpenCVE AI on April 21, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15587 The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
History

Wed, 28 May 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Multivendorx
Multivendorx multivendorx
CPEs cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*
Vendors & Products Multivendorx
Multivendorx multivendorx

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 17 May 2025 12:30:00 +0000

Type Values Removed Values Added
Description The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
Title MultiVendorX – WooCommerce Multivendor Marketplace Solutions <= 4.2.22 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Multivendorx Multivendorx
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:32.506Z

Reserved: 2025-04-29T18:54:24.866Z

Link: CVE-2025-4101

cve-icon Vulnrichment

Updated: 2025-05-19T14:49:38.137Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-17T13:15:47.910

Modified: 2025-05-28T13:28:20.060

Link: CVE-2025-4101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses