Listen to this Post
How CVE-2025-2789 Works
The vulnerability exists in the `delete_table_rate_shipping_row` function of the MultiVendorX WooCommerce plugin (≤ v4.2.19). Due to a missing capability check, unauthenticated attackers can send crafted HTTP requests to trigger this function, deleting Table Rate shipping entries. This disrupts shipping cost calculations, potentially crippling e-commerce operations. The flaw stems from improper access control in the REST API endpoint handling deletion requests, allowing any visitor to manipulate critical data without authentication.
DailyCVE Form
Platform: WordPress
Version: ≤ 4.2.19
Vulnerability: Unauthenticated data deletion
Severity: Critical
Date: 06/04/2025
Prediction: Patch expected by 07/15/2025
What Undercode Say:
Analytics:
- Exploitability: High (no auth required)
- Impact: Operational disruption
- Attack Vector: HTTP request manipulation
Exploit Command (PoC):
curl -X POST http://<target>/wp-json/mvx/v1/delete_table_rate_shipping_row -d '{"id":"1"}'
Mitigation Steps:
- Temporary Fix: Block unauthorized access to `/wp-json/mvx/v1/` via
.htaccess
:<FilesMatch "delete_table_rate_shipping_row"> Require valid-user </FilesMatch>
2. Detection Script (PHP):
if (!current_user_can('manage_options')) { wp_die(__('Unauthorized access.')); }
Permanent Fix:
- Update plugin upon patch release.
- Audit WooCommerce REST endpoints for similar flaws.
Log Analysis:
grep "POST /wp-json/mvx/v1" /var/log/apache2/access.log | grep -v "admin"
Impact Assessment:
- Shipping cost miscalculations → revenue loss.
- Vendor trust erosion due to data tampering.
Patch Verification:
wp plugin list --name=multivendorx --field=version
Ensure version > 4.2.19 post-update.
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode