CVE-2024-9531
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to send unauthorized deactivation requests for arbitrary vendor profiles. Attackers can trigger canned emails to administrators requesting vendor account deletion, potentially disrupting marketplace operations. All WordPress sites using the MultiVendorX plugin up to version 4.2.4 are affected.
💻 Affected Systems
- MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
📦 What is this software?
Multivendorx by Multivendorx
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors systematically request deactivation of all vendors, causing complete marketplace disruption, financial losses, and reputational damage.
Likely Case
Targeted harassment of specific vendors through repeated deactivation requests, creating administrative burden and potential vendor churn.
If Mitigated
Administrators receive nuisance emails but recognize them as unauthorized and ignore them, with no actual vendor accounts being disabled.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is well-documented with code references available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MultiVendorX plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.2.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporarily disable vulnerable function
allAdd capability check to prevent unauthorized access to mvx_sent_deactivation_request function
Edit wp-content/plugins/dc-woocommerce-multi-vendor/classes/class-mvx-ajax.php
Add capability check before line 3780: if (!current_user_can('manage_options')) wp_die();
Restrict user registration
allTemporarily disable new user registration to prevent new attackers from gaining access
In WordPress admin: Settings → General → Membership → Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user role management and review all Subscriber+ accounts for suspicious activity
- Monitor administrator email inbox for unusual deactivation requests and implement email filtering rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin: Plugins → Installed Plugins → MultiVendorX. If version is 4.2.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='MultiVendorX' --field=versionVerify Fix Applied:
After updating, verify version is 4.2.5 or higher. Test with a Subscriber account that you cannot access the deactivation request functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=mvx_sent_deactivation_request from non-admin users
- Multiple deactivation request emails from the same user in short timeframe
Network Indicators:
- POST requests to admin-ajax.php with vendor_id parameter from non-privileged user accounts
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "mvx_sent_deactivation_request" AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php#L3780
- https://plugins.trac.wordpress.org/changeset/3173238/dc-woocommerce-multi-vendor/trunk/classes/class-mvx-ajax.php?contextall=1&old=3168957&old_path=%2Fdc-woocommerce-multi-vendor%2Ftrunk%2Fclasses%2Fclass-mvx-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5af1063c-615e-4196-9fa6-960c008544c4?source=cve
