Show filters
8 Total Results
Displaying 1-8 of 8
Sort by:
Attacker Value
Unknown

CVE-2025-24706

Disclosure Date: January 24, 2025 (last updated January 25, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS. This issue affects WC Marketplace: from n/a through 4.2.13.
0
0
Attacker Value
Unknown

CVE-2023-51355

Disclosure Date: December 09, 2024 (last updated December 21, 2024)
Missing Authorization vulnerability in MultiVendorX WC Marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WC Marketplace: from n/a through 4.0.23.
0
0
Attacker Value
Unknown

CVE-2022-4974

Disclosure Date: October 16, 2024 (last updated October 16, 2024)
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2024-43213

Disclosure Date: August 12, 2024 (last updated August 13, 2024)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Reflected XSS.This issue affects WC Marketplace: from n/a through 4.1.17.
0
0
Attacker Value
Unknown

CVE-2024-24703

Disclosure Date: June 11, 2024 (last updated June 12, 2024)
Missing Authorization vulnerability in MultiVendorX WC Marketplace.This issue affects WC Marketplace: from n/a through 4.0.25.
0
0
Attacker Value
Unknown

CVE-2024-30433

Disclosure Date: March 29, 2024 (last updated January 05, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS.This issue affects WC Marketplace: from n/a through 4.1.3.
0
0
Attacker Value
Unknown

CVE-2023-0072

Disclosure Date: February 06, 2023 (last updated October 08, 2023)
The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Attack Vector: NetworkPrivileges: LowUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2022-2657

Disclosure Date: September 05, 2022 (last updated October 08, 2023)
The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0