CVE-2025-9054
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify WordPress site options via the MultiLoca WooCommerce plugin, potentially enabling them to change the default user registration role to administrator and create admin accounts. All WordPress sites using the MultiLoca plugin versions up to 4.2.8 are affected.
💻 Affected Systems
- MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, leading to data theft, site defacement, or malware distribution.
Likely Case
Attackers create administrator accounts and compromise the site for malicious purposes like SEO spam or credential harvesting.
If Mitigated
If user registration is disabled or strict access controls are in place, impact may be limited to other option modifications, but risk remains high.
🎯 Exploit Status
Exploitation involves sending crafted HTTP requests to the vulnerable AJAX endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.2.9 or later
Vendor Advisory: https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586#item-description__changelog
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'MultiLoca - WooCommerce Multi Locations Inventory Management'. 4. Click 'Update Now' if available, or manually update to version 4.2.9+ via FTP/WordPress updater.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the MultiLoca plugin to prevent exploitation until patched.
wp plugin deactivate woocommerce-multi-locations-inventory-management
Restrict access to AJAX endpoint
linuxUse a web application firewall (WAF) or .htaccess rules to block unauthorized access to the vulnerable function.
# Example .htaccess rule to block specific AJAX requests
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=wcmlim_settings_ajax_handler
RewriteRule ^ - [F]
🧯 If You Can't Patch
- Disable user registration in WordPress settings to prevent admin account creation.
- Implement network-level filtering to block suspicious requests to admin-ajax.php.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 4.2.8 or lower, it is vulnerable.Check Version:
wp plugin get woocommerce-multi-locations-inventory-management --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 4.2.9 or higher in the same location.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action=wcmlim_settings_ajax_handler' from unauthenticated IPs.
- Sudden creation of new administrator user accounts in WordPress logs.
Network Indicators:
- HTTP traffic to admin-ajax.php with parameters attempting to modify site options like 'default_role'.
SIEM Query:
source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "wcmlim_settings_ajax_handler")