{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4101", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-29T18:54:24.866Z", "datePublished": "2025-05-17T12:22:42.688Z", "dateUpdated": "2026-04-08T16:55:32.506Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:32.506Z"}, "affected": [{"vendor": "wcmp", "product": "MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22."}], "title": "MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions <= 4.2.22 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c1fd517-32ee-429d-9026-512afe117dc5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php#L982"}, {"url": "https://plugins.trac.wordpress.org/changeset/3293832/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php?old=3272848&old_path=dc-woocommerce-multi-vendor%2Ftrunk%2Fclasses%2Fclass-mvx-ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "timeline": [{"time": "2025-05-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T14:49:33.654965Z", "id": "CVE-2025-4101", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:49:42.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4101", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-19T14:49:33.654965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T14:49:38.137Z"}}], "cna": {"title": "MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions <= 4.2.22 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wcmp", "product": "MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.2.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c1fd517-32ee-429d-9026-512afe117dc5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php#L982"}, {"url": "https://plugins.trac.wordpress.org/changeset/3293832/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php?old=3272848&old_path=dc-woocommerce-multi-vendor%2Ftrunk%2Fclasses%2Fclass-mvx-ajax.php"}], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:32.506Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4101", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:32.506Z", "dateReserved": "2025-04-29T18:54:24.866Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-17T12:22:42.688Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:multivendorx:multivendorx:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "15FEFE26-304E-4BCE-B02B-D225E054FBAB", "versionEndExcluding": "4.2.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22."}, {"lang": "es", "value": "El complemento MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una comprobaci\u00f3n de capacidad mal configurada en la funci\u00f3n \"delete_fpm_product\" en todas las versiones hasta la 4.2.22 incluida. Esto permite a atacantes autenticados, con acceso de Colaborador o superior, eliminar entradas, p\u00e1ginas, archivos adjuntos y productos arbitrarios. La vulnerabilidad se corrigi\u00f3 parcialmente en la versi\u00f3n 4.2.22."}], "id": "CVE-2025-4101", "lastModified": "2025-05-28T13:28:20.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-17T13:15:47.910", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php#L982"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3293832/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php?old=3272848&old_path=dc-woocommerce-multi-vendor%2Ftrunk%2Fclasses%2Fclass-mvx-ajax.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c1fd517-32ee-429d-9026-512afe117dc5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:44:17.682480+00:00", "value": {"mitigation_remediation": ["Upgrade the MultiVendorX plugin to version 4.2.22 or later to implement the corrected capability check", "Adjust Contributor\u2011level role capabilities to remove or restrict the ability to delete posts, pages, attachments, or products for users who do not require this permission", "Monitor site logs for unexpected deletion activity from Contributor accounts and enforce stricter role boundaries if necessary"], "summary": {"action": "Apply Patch", "impact": "Arbitrary post, page, attachment, and product deletion by authenticated users with Contributor-level access"}, "threat_synthesis": {"affected_systems": "WordPress sites running the MultiVendorX \u2013 WooCommerce Multivendor Marketplace Solutions plugin in versions up to and including 4.2.22 are affected. The vendor identified as wcmp:MultiVendorX delivers the plugin, which integrates tightly with WooCommerce and operates as a standard WordPress plugin. Users of these plugin versions on any WordPress installation without the fixed capability check are vulnerable.", "description_and_impact": "The vulnerability arises from a misconfigured capability check on the delete_fpm_product function, allowing any authenticated user with Contributor permissions or higher to delete arbitrary posts, pages, attachments, and products. This results in unintended data loss and potential disruption of the marketplace\u2019s content integrity. The weakness maps to CWE\u2011863, an improper authorization flaw that compromises the integrity of stored data. The impact is limited to data loss rather than system compromise, but it can undermine user trust and content consistency.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate risk level, while the EPSS score is below 1%, suggesting a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated and belong to the Contributor role or higher; the exploitation path involves invoking the delete_fpm_product function via the plugin\u2019s AJAX endpoint or admin interface. Because the flaw is limited to content deletion, attackers can cause data loss and service disruption but cannot gain broader system control."}}}}, "created": "2026-04-21T20:45:25.983006+00:00", "updated": "2026-04-21T20:45:25.983018+00:00", "vendors": []}