Platform
wordpress
Component
dc-woocommerce-multi-vendor
Fixed in
4.2.15
CVE-2025-0493 describes a Local File Inclusion (LFI) vulnerability affecting the MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 4.2.14, and a patch is available in version 4.2.15.
The impact of this vulnerability is severe. An attacker can leverage the LFI to include malicious PHP files, effectively gaining the ability to execute arbitrary code on the server. This could lead to complete compromise of the WordPress site, including data exfiltration, modification of website content, and installation of backdoors. The attacker could potentially gain access to sensitive customer data stored within the WooCommerce database, including payment information. Given the plugin's function as a marketplace solution, the blast radius extends to all vendors and customers using the platform.
This vulnerability was publicly disclosed on 2025-01-31. While no public exploits have been widely reported, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The LFI nature of the vulnerability aligns with common attack patterns, and the lack of authentication required makes it particularly concerning.
Exploit Status
EPSS
0.49% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the MultiVendorX plugin to version 4.2.15 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions, implementing strict input validation on the tabname parameter, and using a Web Application Firewall (WAF) to filter out malicious requests attempting to include arbitrary files. Monitor WordPress access logs for suspicious file inclusion attempts, looking for patterns involving the tabname parameter and unexpected file paths. After upgrading, confirm the fix by attempting to access a non-existent PHP file through the vulnerable parameter and verifying that it results in a 404 error.
Update the MultiVendorX plugin to version 4.2.15 or higher to mitigate the limited Local File Inclusion vulnerability. This update addresses the failure to properly validate the 'tabname' parameter, preventing the execution of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0493 is a critical Local File Inclusion vulnerability in the MultiVendorX WooCommerce plugin, allowing attackers to include arbitrary PHP files and potentially execute code.
Yes, if you are using MultiVendorX versions 0.0.0 through 4.2.14, you are affected by this vulnerability.
Upgrade the MultiVendorX plugin to version 4.2.15 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of future attacks.
Refer to the MultiVendorX plugin documentation and website for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.