CVE-2025-4101: CWE-863 Incorrect Authorization in wcmp MultiVendorX – WooCommerce Multivendor Marketplace Solutions
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
AI Analysis
Technical Summary
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress contains an authorization bypass vulnerability (CWE-863) due to a misconfigured capability check in the 'delete_fpm_product' function. Authenticated users with Contributor-level privileges or above can exploit this flaw to delete arbitrary posts, pages, attachments, and products. The issue affects all versions up to and including 4.2.22. While version 4.2.22 includes a partial patch, the vulnerability is not fully resolved. The CVSS 3.1 base score is 4.3, reflecting a medium severity with low complexity and requiring low privileges.
Potential Impact
Exploitation of this vulnerability allows authenticated users with Contributor-level access or higher to delete arbitrary content within the WordPress site, including posts, pages, attachments, and products managed by the plugin. This results in unauthorized modification and loss of data integrity. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A partial patch addressing this vulnerability was included in version 4.2.22 of the MultiVendorX plugin. Users should upgrade to version 4.2.22 or later to benefit from the partial fix. Since the patch is partial, users should monitor vendor advisories for further updates or complete fixes. No official patch link is currently provided, and patch status beyond version 4.2.22 is not confirmed. Until a full fix is available, restrict Contributor-level access to trusted users only to mitigate risk.
CVE-2025-4101: CWE-863 Incorrect Authorization in wcmp MultiVendorX – WooCommerce Multivendor Marketplace Solutions
Description
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress contains an authorization bypass vulnerability (CWE-863) due to a misconfigured capability check in the 'delete_fpm_product' function. Authenticated users with Contributor-level privileges or above can exploit this flaw to delete arbitrary posts, pages, attachments, and products. The issue affects all versions up to and including 4.2.22. While version 4.2.22 includes a partial patch, the vulnerability is not fully resolved. The CVSS 3.1 base score is 4.3, reflecting a medium severity with low complexity and requiring low privileges.
Potential Impact
Exploitation of this vulnerability allows authenticated users with Contributor-level access or higher to delete arbitrary content within the WordPress site, including posts, pages, attachments, and products managed by the plugin. This results in unauthorized modification and loss of data integrity. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A partial patch addressing this vulnerability was included in version 4.2.22 of the MultiVendorX plugin. Users should upgrade to version 4.2.22 or later to benefit from the partial fix. Since the patch is partial, users should monitor vendor advisories for further updates or complete fixes. No official patch link is currently provided, and patch status beyond version 4.2.22 is not confirmed. Until a full fix is available, restrict Contributor-level access to trusted users only to mitigate risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-29T18:54:24.866Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0f81484d88663aeb722
Added to database: 5/20/2025, 6:59:04 PM
Last enriched: 4/9/2026, 5:26:15 PM
Last updated: 5/10/2026, 1:44:35 AM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.