CVE-2025-64631

MEDIUM
2025-12-16 [email protected]
5.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.0

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.

Analysis

WCFM Marketplace plugin through version 3.7.1 fails to properly enforce authorization controls, allowing authenticated users with limited privileges to cause denial of service or access functionality they should not have. The vulnerability affects the WordPress plugin across all installations through the specified version, exploiting incorrectly configured access control security levels via network-accessible endpoints. With an EPSS score of 0.05% and low real-world exploitation probability, this represents a privilege escalation risk primarily for multi-vendor marketplace administrators.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where software performs an action or grants access to a resource without properly verifying that the user has permission to perform that action. In WCFM Marketplace, the access control mechanism fails to correctly validate user roles and capabilities before allowing authenticated users to perform operations they should not have access to. The plugin is a WordPress marketplace extension (CPE wp:wcfm_marketplace) that manages vendor accounts, product listings, and marketplace transactions. The broken access control specifically impacts authorization checks at the application layer, not cryptographic or session management, meaning the vulnerability exists in the business logic that determines what each authenticated user can do within the marketplace.

Affected Products

WC Lovers WCFM Marketplace plugin (wp:wcfm_marketplace) in WordPress is affected in all versions from initial release through version 3.7.1. The vulnerability impacts the wc-multivendor-marketplace package that provides marketplace functionality for WooCommerce sites managing multiple vendors. According to the Patchstack database reference, the vulnerability was first documented in connection with version 3.6.15 and remains present through at least 3.7.1.

Remediation

Update WCFM Marketplace plugin to a version after 3.7.1 as soon as available from the plugin developer. Site administrators should navigate to WordPress Dashboard → Plugins → Installed Plugins, locate WC Lovers WCFM Marketplace, and click Update if a newer version is available. Until a patched version is confirmed, restrict access to marketplace management functions by ensuring only trusted administrators and vendors have elevated privileges, and audit user role assignments to remove unnecessary permissions. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-6-15-broken-access-control-vulnerability for the latest patch availability and additional remediation guidance from the vendor.

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +25
POC: 0

Share

CVE-2025-64631 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy