CVE-2024-12413 is a missing authorization vulnerability (CWE-862) in the MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress, affecting all versions up to 2.0.00. The vulnerability stems from the absence of proper capability checks on multiple sensitive functions including 'marketking_delete_team_member', 'marketkingrejectuser', and 'marketking_save_profile_settings'. These functions control critical operations such as deleting users, rejecting or approving users, and modifying profile settings. Because these functions lack authorization enforcement, unauthenticated attackers can invoke them remotely without any credentials or user interaction. This leads to unauthorized modification of user accounts and marketplace settings, potentially disrupting marketplace operations and user trust. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, no privileges required, no user interaction, and limited impact on integrity without confidentiality or availability impact. No known exploits have been reported yet, but the vulnerability's nature makes it a significant risk for WooCommerce multivendor marketplaces using this plugin. The absence of patches at the time of disclosure necessitates immediate defensive measures by administrators.

The vulnerability allows unauthenticated attackers to perform unauthorized actions such as deleting team members, modifying profile settings, and approving or rejecting users. This can lead to disruption of marketplace operations, loss of user accounts, unauthorized changes to marketplace configurations, and potential reputational damage. While the vulnerability does not directly expose confidential data or cause denial of service, the integrity of the marketplace environment is compromised. Attackers could manipulate vendor accounts or marketplace settings to their advantage, potentially facilitating fraud or further attacks. Organizations relying on this plugin for their e-commerce platforms face operational risks and potential financial losses if exploited. The ease of exploitation without authentication increases the threat level, especially for marketplaces with high user activity and valuable transactions.

Until an official patch is released, organizations should implement strict access controls at the web server or application firewall level to restrict access to the vulnerable plugin endpoints. Employing Web Application Firewalls (WAFs) with custom rules to block requests targeting functions like 'marketking_delete_team_member' and 'marketkingrejectuser' can reduce exposure. Monitoring logs for unusual or unauthorized requests to these endpoints is critical for early detection. Administrators should also review user roles and permissions within WordPress and WooCommerce to minimize privileges where possible. Keeping the WordPress core, WooCommerce, and all plugins updated is essential. Once a patch becomes available, immediate application is mandatory. Additionally, consider isolating the marketplace environment and enforcing multi-factor authentication for administrative accounts to limit the impact of any unauthorized changes.