CVE-2025-0493
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform local file inclusion via the tabname parameter in the MultiVendorX WordPress plugin. Attackers can include PHP files on the server, potentially leading to remote code execution, data theft, or access control bypass. All WordPress sites using MultiVendorX plugin versions up to 4.2.14 are affected.
💻 Affected Systems
- MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
📦 What is this software?
Multivendorx by Multivendorx
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install malware, steal sensitive data, deface websites, or pivot to internal networks.
Likely Case
Unauthenticated attackers achieve code execution by uploading malicious PHP files and including them, leading to website takeover and data exfiltration.
If Mitigated
Attackers can only include existing PHP files, limiting impact to information disclosure or privilege escalation if vulnerable files exist.
🎯 Exploit Status
Exploitation requires knowledge of file paths and ability to upload PHP files or access to existing PHP files on server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.15
Vendor Advisory: https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.15/classes/class-mvx-ajax.php#L661
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MultiVendorX plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 4.2.15+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable AJAX endpoint via web server configuration or WAF rules.
# Apache .htaccess
RewriteEngine On
RewriteCond %{QUERY_STRING} tabname [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
# Nginx location block
location ~* /wp-admin/admin-ajax\.php$ {
if ($args ~* "tabname") {
return 403;
}
}
File upload restrictions
allImplement strict file upload controls to prevent PHP file uploads via web interfaces.
# .htaccess to block PHP uploads
<FilesMatch "\.(php|php5|php7|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Immediately disable the MultiVendorX plugin via WordPress admin or by renaming plugin directory.
- Implement web application firewall (WAF) rules to block requests containing 'tabname' parameter patterns.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for MultiVendorX version. If version is 4.2.14 or lower, system is vulnerable.Check Version:
wp plugin list --name='MultiVendorX' --field=versionVerify Fix Applied:
Verify plugin version shows 4.2.15 or higher in WordPress admin panel. Test by attempting to access vulnerable endpoint with tabname parameter - should return error or be blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with 'tabname' parameter containing file paths
- Unusual file inclusion attempts in web server error logs
- PHP file uploads to unexpected directories
Network Indicators:
- Unusual outbound connections from web server following exploitation
- Traffic patterns indicating file inclusion attacks
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND query="*tabname*"🔗 References
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.14/classes/class-mvx-ajax.php#L661
- https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.15/classes/class-mvx-ajax.php#L661
- https://www.wordfence.com/threat-intel/vulnerabilities/id/812029d9-95d6-4bc9-98b2-700f462163b3?source=cve
