The MultiVendorX affiliate marketplace plugin contains a missing authorization flaw that permits users to access functions that should be restricted by access control lists. An attacker who can reach the plugin’s endpoints may invoke restricted actions such as adding or modifying vendor listings, accessing sensitive vendor data, or elevating privileges beyond their legitimate role. The vulnerability is classified as CWE‑862, highlighting a failure in proper enforcement of authorization checks, which can compromise the confidentiality, integrity, and availability of vendor information and the overall marketplace platform.

MultiVendorX – MultiVendorX WordPress plugin, versions from the earliest available through 4.2.23 are affected. The CVE states that any installation of the plugin up to and including version 4.2.23 may be vulnerable. Users should verify the installed version and plan for remediation if they are running any of these released iterations.

The CVSS score of 8.6 indicates a high severity due to high impact and possible remote exploitation. The EPSS score of less than 1% suggests that exploitation attempts are currently uncommon, but the risk does not vanish; attackers with access to the web application or privileged user credentials could leverage the flaw. The vulnerability is not listed in CISA’s KEV catalog, meaning no mass exploitation campaigns have been documented yet. The likely attack vector involves accessing the plugin’s operations through the WordPress admin interface or via crafted HTTP requests; an attacker does not necessarily require elevated privileges beyond a standard site user, as the authorization checks are absent at the source level.