CVE-2022-2657

low-risk
Published 2022-09-05

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Multivendor Marketplace Solution For Woocommerce - Wc Marketplace

Affected Vendors

Wc-Marketplace

References (2)

Exploit https://wpscan.com/vulnerability/c600dd04-f6aa-430b-aefb-c4c6d554c41a
Exploit https://wpscan.com/vulnerability/c600dd04-f6aa-430b-aefb-c4c6d554c41a
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal