Description
Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Retrieve Embedded Sensitive Data.This issue affects MultiVendorX: from n/a through <= 4.2.22.
Published: 2025-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insertion of sensitive information into data sent from the MultiVendorX plugin, allowing attackers to retrieve embedded sensitive data. This flaw results in a loss of confidentiality for any data handled by the plugin. It is categorized as CWE-201, indicating an error in protecting sensitive data during transmission or storage.

Affected Systems

Sites running WordPress that have the MultiVendorX plugin installed are vulnerable when the plugin version is 4.2.22 or earlier. The issue spans all releases of MultiVendorX from its initial release up to 4.2.22, regardless of the WordPress version or hosting environment.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate to high risk for confidentiality. The EPSS score of <1% suggests that the likelihood of exploitation is low, and the vulnerability is not listed in CISA’s KEV. The plugin exposes sensitive data through its data retrieval mechanisms, so the attack vector is likely a remote request to the plugin’s API or administrative interface, potentially requiring authentication. Successful exploitation requires network access to the WordPress site and insufficient access controls on the plugin’s endpoints.

Generated by OpenCVE AI on April 30, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MultiVendorX plugin to a version newer than 4.2.22, or apply the vendor’s official patch if available.
  • After updating, review the database and plugin configuration for any residual sensitive data that might have been stored or cached, and remove it.
  • Enforce strict role‑based access control for the plugin’s admin pages and API endpoints, ensuring only authorized administrators can retrieve or view sensitive information.

Generated by OpenCVE AI on April 30, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17536 Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22. Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Retrieve Embedded Sensitive Data.This issue affects MultiVendorX: from n/a through <= 4.2.22.
Title WordPress MultiVendorX <= 4.2.22 - Sensitive Data Exposure Vulnerability WordPress MultiVendorX plugin <= 4.2.22 - Sensitive Data Exposure Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00041}

 epss

{'score': 0.00044}

Wed, 02 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Multivendorx
Multivendorx multivendorx
CPEs cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*
Vendors & Products Multivendorx
Multivendorx multivendorx

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in MultiVendorX MultiVendorX allows Retrieve Embedded Sensitive Data. This issue affects MultiVendorX: from n/a through 4.2.22.
Title WordPress MultiVendorX <= 4.2.22 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Multivendorx Multivendorx
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.692Z

Reserved: 2025-05-19T14:13:16.806Z

Link: CVE-2025-48261

cve-icon Vulnrichment

Updated: 2025-06-10T13:52:26.490Z

cve-icon NVD

Status : Modified

Published: 2025-06-09T16:15:44.183

Modified: 2026-04-29T10:16:48.280

Link: CVE-2025-48261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses