CVE-2022-2657

CVE-2022-2657: Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls

Vendor Unknown
Product Multivendor Marketplace Solution for WooCommerce – WC Marketplace
Weakness CWE-862 · Missing authorization
Published September 5, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF

Key dates

02Disclosure timeline

September 5, 2022 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE