Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network vector via REST API, low complexity; PR:L reflects the subscriber-level account requirement even with default auto-promote path; read-only injection so I:N and A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The MultiVendorX - WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This vulnerability is exploitable by any authenticated subscriber-level user when the plugin's store approval setting is configured to automatically approve store owners (described as the default), as this allows any logged-in user to self-register as a store_owner via the public Stores REST endpoint, thereby obtaining the edit_stores capability required to reach the vulnerable transactions endpoint.
AnalysisAI
SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account at subscriber level or above, which on most sites can be obtained via free self-registration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately captures the read-only SQL injection impact but understates the practical exploitation barrier due to the default auto-approval misconfiguration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a target WordPress/WooCommerce site running MultiVendorX with its default auto-approve setting enabled. Using the authenticated Stores REST endpoint, the attacker self-registers as a store_owner (instantly approved), then sends a crafted GET or POST request to the transactions endpoint with a malicious 'order_by' value containing a SQL UNION SELECT statement - for example, injecting a query to retrieve wp_users usernames and hashed passwords or WooCommerce order details. … |
| Remediation | The upstream fix has been committed to the WordPress plugin repository as changeset 3606843 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3606843%40dc-woocommerce-multi-vendor&new=3606843%40dc-woocommerce-multi-vendor); site administrators should update to the version released after 5.0.9 as soon as it becomes available in the WordPress plugin directory, though a specific patched release version has not been independently confirmed from the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44860
GHSA-95xv-f86p-3j6g