Skip to main content

WC Lovers WCFM Marketplace CVE-2025-64631

MEDIUM
Missing Authorization (CWE-862)
2025-12-16 audit@patchstack.com
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.0 (MEDIUM) 4.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.0

DescriptionCVE.org

Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.

AnalysisAI

WCFM Marketplace plugin through version 3.7.1 fails to properly enforce authorization controls, allowing authenticated users with limited privileges to cause denial of service or access functionality they should not have. The vulnerability affects the WordPress plugin across all installations through the specified version, exploiting incorrectly configured access control security levels via network-accessible endpoints. With an EPSS score of 0.05% and low real-world exploitation probability, this represents a privilege escalation risk primarily for multi-vendor marketplace administrators.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where software performs an action or grants access to a resource without properly verifying that the user has permission to perform that action. In WCFM Marketplace, the access control mechanism fails to correctly validate user roles and capabilities before allowing authenticated users to perform operations they should not have access to. The plugin is a WordPress marketplace extension (CPE wp:wcfm_marketplace) that manages vendor accounts, product listings, and marketplace transactions. The broken access control specifically impacts authorization checks at the application layer, not cryptographic or session management, meaning the vulnerability exists in the business logic that determines what each authenticated user can do within the marketplace.

Affected ProductsAI

WC Lovers WCFM Marketplace plugin (wp:wcfm_marketplace) in WordPress is affected in all versions from initial release through version 3.7.1. The vulnerability impacts the wc-multivendor-marketplace package that provides marketplace functionality for WooCommerce sites managing multiple vendors. According to the Patchstack database reference, the vulnerability was first documented in connection with version 3.6.15 and remains present through at least 3.7.1.

RemediationAI

Update WCFM Marketplace plugin to a version after 3.7.1 as soon as available from the plugin developer. Site administrators should navigate to WordPress Dashboard → Plugins → Installed Plugins, locate WC Lovers WCFM Marketplace, and click Update if a newer version is available. Until a patched version is confirmed, restrict access to marketplace management functions by ensuring only trusted administrators and vendors have elevated privileges, and audit user role assignments to remove unnecessary permissions. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-6-15-broken-access-control-vulnerability for the latest patch availability and additional remediation guidance from the vendor.

Share

CVE-2025-64631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy