平台
wordpress
组件
dc-woocommerce-multi-vendor
修复版本
4.2.15
CVE-2025-0493 describes a Local File Inclusion (LFI) vulnerability affecting the MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 4.2.14, and a patch is available in version 4.2.15.
The impact of this vulnerability is severe. An attacker can leverage the LFI to include malicious PHP files, effectively gaining the ability to execute arbitrary code on the server. This could lead to complete compromise of the WordPress site, including data exfiltration, modification of website content, and installation of backdoors. The attacker could potentially gain access to sensitive customer data stored within the WooCommerce database, including payment information. Given the plugin's function as a marketplace solution, the blast radius extends to all vendors and customers using the platform.
This vulnerability was publicly disclosed on 2025-01-31. While no public exploits have been widely reported, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The LFI nature of the vulnerability aligns with common attack patterns, and the lack of authentication required makes it particularly concerning.
This vulnerability primarily affects websites using the MultiVendorX plugin for WooCommerce. Specifically, sites running older versions (0.0.0–4.2.14) are at risk. Shared hosting environments are particularly vulnerable, as attackers may be able to exploit the vulnerability to compromise other sites on the same server.
• wordpress / composer / npm:
grep -r 'tabname' /var/www/html/wp-content/plugins/multivendorx/• wordpress / composer / npm:
wp plugin list | grep multivendorx• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/multivendorx/includes/tabname.php | head -n 1• generic web:
Check WordPress access logs for requests containing tabname=../ or similar path traversal attempts.
disclosure
漏洞利用状态
EPSS
0.49% (65% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the MultiVendorX plugin to version 4.2.15 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions, implementing strict input validation on the tabname parameter, and using a Web Application Firewall (WAF) to filter out malicious requests attempting to include arbitrary files. Monitor WordPress access logs for suspicious file inclusion attempts, looking for patterns involving the tabname parameter and unexpected file paths. After upgrading, confirm the fix by attempting to access a non-existent PHP file through the vulnerable parameter and verifying that it results in a 404 error.
将 MultiVendorX 插件更新到 4.2.15 或更高版本以缓解有限本地文件包含 (Limited Local File Inclusion) 漏洞。此更新解决了对 'tabname' 参数验证不正确的错误,从而防止恶意代码执行。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-0493 is a critical Local File Inclusion vulnerability in the MultiVendorX WooCommerce plugin, allowing attackers to include arbitrary PHP files and potentially execute code.
Yes, if you are using MultiVendorX versions 0.0.0 through 4.2.14, you are affected by this vulnerability.
Upgrade the MultiVendorX plugin to version 4.2.15 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of future attacks.
Refer to the MultiVendorX plugin documentation and website for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。