CVE-2025-2789: CWE-862 Missing Authorization in wcmp MultiVendorX – WooCommerce Multivendor Marketplace Solutions
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
AI Analysis
Technical Summary
The MultiVendorX WooCommerce Multivendor Marketplace plugin suffers from a missing authorization (CWE-862) vulnerability in the delete_table_rate_shipping_row function. This flaw allows unauthenticated attackers to delete Table Rate shipping entries, impacting how shipping costs are calculated. The issue affects all versions up to 4.2.19 and has a CVSS 3.1 base score of 5.3, indicating a medium severity level. No known exploits are reported in the wild, and no patch or official remediation guidance is currently available.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to delete shipping Table Rates, which can disrupt shipping cost calculations for affected WooCommerce stores. This results in an integrity impact (I:L) but does not affect confidentiality or availability. The disruption could lead to incorrect shipping charges being applied to customers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, monitor for updates from the MultiVendorX plugin vendor and consider restricting access to plugin management interfaces. Avoid exposing the affected functionality to unauthenticated users.
CVE-2025-2789: CWE-862 Missing Authorization in wcmp MultiVendorX – WooCommerce Multivendor Marketplace Solutions
Description
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MultiVendorX WooCommerce Multivendor Marketplace plugin suffers from a missing authorization (CWE-862) vulnerability in the delete_table_rate_shipping_row function. This flaw allows unauthenticated attackers to delete Table Rate shipping entries, impacting how shipping costs are calculated. The issue affects all versions up to 4.2.19 and has a CVSS 3.1 base score of 5.3, indicating a medium severity level. No known exploits are reported in the wild, and no patch or official remediation guidance is currently available.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to delete shipping Table Rates, which can disrupt shipping cost calculations for affected WooCommerce stores. This results in an integrity impact (I:L) but does not affect confidentiality or availability. The disruption could lead to incorrect shipping charges being applied to customers.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, monitor for updates from the MultiVendorX plugin vendor and consider restricting access to plugin management interfaces. Avoid exposing the affected functionality to unauthenticated users.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-03-25T13:21:39.878Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b25b7ef31ef0b54ea26
Added to database: 2/25/2026, 9:35:33 PM
Last enriched: 4/9/2026, 10:10:27 AM
Last updated: 4/12/2026, 3:09:02 PM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.