Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Payload plants via REST API (AV:N/PR:L) but fires only when a victim admin loads the dashboard (UI:R); scope change applies as vendor-context payload executes in admin-context browser.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WCFM Marketplace - Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.
AnalysisAI
Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at least Vendor-level role within the WCFM Marketplace plugin - unauthenticated or subscriber-level exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 6.4 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures the network-accessible, low-complexity nature of planting the payload, and the scope change (S:C) correctly models the cross-user impact where a vendor-level attacker compromises an administrator's session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious vendor registered on a WooCommerce multi-vendor marketplace authenticates to the site and sends a crafted POST request to /wp-json/wp/v2/media, setting the media attachment title to a script payload designed to exfiltrate the administrator's session cookie to an attacker-controlled endpoint. The payload is stored unescaped in the WordPress database. … |
| Remediation | A fix has been committed to the plugin's Subversion repository as changeset 3588629 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3588629%40wc-multivendor-marketplace&new=3588629%40wc-multivendor-marketplace); however, the exact released plugin version incorporating this commit is not independently confirmed from the available data - site administrators should update to the latest available version from the WordPress plugin repository and verify it is numbered higher than 3.7.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43158
GHSA-392f-h24w-84fc