Skip to main content

Wc Vendors Marketplace

2 CVEs product

Monthly

CVE-2026-54838 HIGH This Week

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wc Vendors Marketplace
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2023-0072 MEDIUM POC This Month

The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wc Vendors Marketplace
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wc Vendors Marketplace
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wc Vendors Marketplace
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy