Skip to main content

MultiVendorX WordPress Plugin CVE-2026-12941

| EUVDEUVD-2026-44860 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-95xv-f86p-3j6g
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network vector via REST API, low complexity; PR:L reflects the subscriber-level account requirement even with default auto-promote path; read-only injection so I:N and A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:47 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 6.5

DescriptionNVD

The MultiVendorX - WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This vulnerability is exploitable by any authenticated subscriber-level user when the plugin's store approval setting is configured to automatically approve store owners (described as the default), as this allows any logged-in user to self-register as a store_owner via the public Stores REST endpoint, thereby obtaining the edit_stores capability required to reach the vulnerable transactions endpoint.

AnalysisAI

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register free WordPress subscriber account
Delivery
Call public Stores REST endpoint to self-register as store_owner
Exploit
Auto-approval grants edit_stores capability
Execution
Submit crafted order_by payload to transactions REST endpoint
Persist
Inject UNION SELECT into SQL query
Impact
Exfiltrate sensitive database records

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account at subscriber level or above, which on most sites can be obtained via free self-registration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately captures the read-only SQL injection impact but understates the practical exploitation barrier due to the default auto-approval misconfiguration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress/WooCommerce site running MultiVendorX with its default auto-approve setting enabled. Using the authenticated Stores REST endpoint, the attacker self-registers as a store_owner (instantly approved), then sends a crafted GET or POST request to the transactions endpoint with a malicious 'order_by' value containing a SQL UNION SELECT statement - for example, injecting a query to retrieve wp_users usernames and hashed passwords or WooCommerce order details. …
Remediation The upstream fix has been committed to the WordPress plugin repository as changeset 3606843 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3606843%40dc-woocommerce-multi-vendor&new=3606843%40dc-woocommerce-multi-vendor); site administrators should update to the version released after 5.0.9 as soon as it becomes available in the WordPress plugin directory, though a specific patched release version has not been independently confirmed from the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy