CVE-2022-2657
Last modified
CVE-2022-2657 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF. EPSS estimates a 0.27% chance of exploitation in the next 30 days.
Description
The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wc-Marketplace | Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | < 3.8.12 |
References
- https://wpscan.com/vulnerability/c600dd04-f6aa-430b-aefb-c4c6d554c41aExploit, Third Party Advisory
- https://wpscan.com/vulnerability/c600dd04-f6aa-430b-aefb-c4c6d554c41aExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-2657?
How severe is CVE-2022-2657?
How do I fix CVE-2022-2657?
Are you affected by CVE-2022-2657?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST