MultiVendorX (WordPress Plugin), Unauthenticated Data Deletion, CVE-2025-2789 (Critical)

Listen to this Post

How CVE-2025-2789 Works

The vulnerability exists in the `delete_table_rate_shipping_row` function of the MultiVendorX WooCommerce plugin (≤ v4.2.19). Due to a missing capability check, unauthenticated attackers can send crafted HTTP requests to trigger this function, deleting Table Rate shipping entries. This disrupts shipping cost calculations, potentially crippling e-commerce operations. The flaw stems from improper access control in the REST API endpoint handling deletion requests, allowing any visitor to manipulate critical data without authentication.

DailyCVE Form

Platform: WordPress
Version: ≤ 4.2.19
Vulnerability: Unauthenticated data deletion
Severity: Critical
Date: 06/04/2025

Prediction: Patch expected by 07/15/2025

What Undercode Say:

Analytics:

  • Exploitability: High (no auth required)
  • Impact: Operational disruption
  • Attack Vector: HTTP request manipulation

Exploit Command (PoC):

curl -X POST http://<target>/wp-json/mvx/v1/delete_table_rate_shipping_row -d '{"id":"1"}'

Mitigation Steps:

  1. Temporary Fix: Block unauthorized access to `/wp-json/mvx/v1/` via .htaccess:
    <FilesMatch "delete_table_rate_shipping_row">
    Require valid-user
    </FilesMatch>
    

2. Detection Script (PHP):

if (!current_user_can('manage_options')) {
wp_die(__('Unauthorized access.'));
}

Permanent Fix:

  • Update plugin upon patch release.
  • Audit WooCommerce REST endpoints for similar flaws.

Log Analysis:

grep "POST /wp-json/mvx/v1" /var/log/apache2/access.log | grep -v "admin"

Impact Assessment:

  • Shipping cost miscalculations → revenue loss.
  • Vendor trust erosion due to data tampering.

Patch Verification:

wp plugin list --name=multivendorx --field=version

Ensure version > 4.2.19 post-update.

References:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top