CVE-2025-64631 identifies a missing authorization vulnerability in the WC Lovers WCFM Marketplace WordPress plugin, versions up to and including 3.6.15. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict user permissions and authorization checks. This misconfiguration allows attackers, potentially unauthenticated or with limited privileges, to perform actions or access resources that should be restricted. The WCFM Marketplace plugin is widely used to enable multivendor e-commerce capabilities on WordPress sites, managing vendor storefronts, product listings, and transactions. Exploiting this vulnerability could allow an attacker to manipulate marketplace data, interfere with vendor operations, or access sensitive information such as customer data or transaction details. Although no public exploits have been reported yet, the nature of missing authorization flaws typically makes them relatively straightforward to exploit, especially if no authentication or minimal authentication is required. The vulnerability affects the confidentiality, integrity, and potentially availability of the affected systems. The lack of a CVSS score indicates that the vulnerability is newly published and awaiting further analysis or patch releases. The vulnerability was reserved in early November 2025 and published in mid-December 2025, indicating recent discovery and disclosure. No patches or mitigations are currently linked, emphasizing the need for immediate attention from affected organizations.

For European organizations, the impact of CVE-2025-64631 can be significant, particularly for those operating e-commerce platforms using WordPress with the WCFM Marketplace plugin. Unauthorized access could lead to data breaches involving customer personal data, vendor information, and transaction records, violating GDPR and other data protection regulations. Integrity of marketplace data could be compromised, resulting in fraudulent transactions, unauthorized product listings, or manipulation of vendor accounts. Availability could also be affected if attackers disrupt marketplace operations or delete critical data. The reputational damage and potential regulatory fines could be substantial. Given the widespread use of WordPress and the popularity of multivendor marketplace plugins in Europe, many small to medium enterprises (SMEs) and larger retailers could be vulnerable. The threat also extends to third-party vendors relying on these platforms, amplifying the potential impact across supply chains.

1. Monitor official WC Lovers and WordPress security advisories closely for the release of patches addressing CVE-2025-64631 and apply them immediately upon availability. 2. Conduct an immediate audit of user roles and permissions within the WCFM Marketplace plugin to identify and correct any overly permissive access controls. 3. Implement strict access control policies, ensuring that only authorized users have permissions to perform sensitive actions within the marketplace. 4. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting marketplace endpoints until patches are applied. 5. Enable detailed logging and monitoring of marketplace activities to detect unusual or unauthorized behavior promptly. 6. Educate administrators and vendors about the vulnerability and encourage vigilance for phishing or social engineering attempts that could leverage this flaw. 7. Consider temporary disabling or restricting access to vulnerable plugin features if immediate patching is not possible, to reduce attack surface. 8. Review and enhance overall WordPress security posture, including timely updates of core and plugins, strong authentication mechanisms, and regular security assessments.