Refine your search
2 vulnerabilities found for WCFM – Multivendor Marketplace REST API for WooCommerce by wclovers
CVE-2025-1311 (GCVE-0-2025-1311)
Vulnerability from cvelistv5
Published
2025-03-22 06:41
Modified
2026-04-08 17:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wclovers | WCFM – Multivendor Marketplace REST API for WooCommerce |
Version: 0 ≤ 1.6.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T13:18:39.298151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T13:18:47.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
"vendor": "wclovers",
"versions": [
{
"lessThanOrEqual": "1.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tan Phat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to SQL Injection via the \u0027id\u0027 parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:14.581Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff5cda2-edcd-4fa5-9c8e-427a43802ed1?source=cve"
},
{
"url": "https://wordpress.org/plugins/wcfm-marketplace-rest-api/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/trunk/includes/api/class-api-deliveries-controller.php#L303"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3267377/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-21T17:52:03.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.6.2 - Authenticated (Subscriber+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1311",
"datePublished": "2025-03-22T06:41:12.043Z",
"dateReserved": "2025-02-14T20:12:02.373Z",
"dateUpdated": "2026-04-08T17:00:14.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2275 (GCVE-0-2023-2275)
Vulnerability from cvelistv5
Published
2023-06-09 05:33
Modified
2026-04-08 17:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'get_item', 'get_order_notes' and 'add_order_note' functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wclovers | WCFM – Multivendor Marketplace REST API for WooCommerce |
Version: 0 ≤ 1.5.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2904331/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:23:58.499390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:36:48.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
"vendor": "wclovers",
"versions": [
{
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the \u0027get_item\u0027, \u0027get_order_notes\u0027 and \u0027add_order_note\u0027 functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:15:51.530Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2904331/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-25T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-04-25T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-04-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2275",
"datePublished": "2023-06-09T05:33:28.997Z",
"dateReserved": "2023-04-25T11:42:13.932Z",
"dateUpdated": "2026-04-08T17:15:51.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}