CVE-2025-64631

Vulnerability

Overview

The WCFM Marketplace plugin for WordPress (wc-multivendor-marketplace) versions up to and including 3.7.1 contain a missing authorization vulnerability. This issue arises from incorrectly configured access control security levels, allowing exploitation of broken access control mechanisms. The plugin fails to properly enforce authorization checks on certain functions, leading to a security flaw classified as CVE-2025-64631 with a CVSS v3 score of 4.9 (Medium) [1].

Attack

Vector

The vulnerability is categorized under 'Broken Access Control,' meaning that the plugin lacks necessary authorization or nonce token checks in specific functions. This can be exploited by unprivileged users, including those without any authentication, to perform actions that should require higher privileges. Attackers can trigger this remotely via HTTP requests, without needing any prior authentication or special network position [1].

Impact

Successful exploitation allows an attacker to execute unauthorized actions within the WordPress site, potentially leading to data exposure, modification, or other forms of privilege escalation. The vulnerability is actively used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity, highlighting its practical risk and the urgency for mitigation [1].

Mitigation

Users are advised to update the affected plugin to a patched version immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. The vendor, WC Lovers, has addressed this issue in versions after 3.7.1, but sites running older versions remain vulnerable until updated [1].