CVE-2024-9943

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 6.3EPSS 0.05%Medium
CVE info copied to clipboard

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9943. See article

Oct 24, 2024 at 7:48 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 24, 2024 at 7:52 AM
CVE Assignment

NVD published the first details for CVE-2024-9943

Oct 24, 2024 at 8:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 24, 2024 at 8:15 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as LOW

Oct 24, 2024 at 8:34 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 24, 2024 at 9:36 AM
CVSS Estimate

Feedly estimated the CVSS score as LOW

Oct 24, 2024 at 11:35 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.3%)

Oct 25, 2024 at 10:08 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

Update Thu Nov 7 14:29:30 UTC 2024
Update Thu Nov 7 14:29:30 UTC 2024
CVE-2024-9943
Medium Severity Description The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-9943
Medium - CVE-2024-9943 - The MultiVendorX – The Ultimate WooCommerce...
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is...
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Request Forgery to Vendor Updates
Wcmp - MEDIUM - CVE-2024-9943 The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-9943 - MultiVendorX WooCommerce Multivendor Marketplace Cross-Site Request Forgery Vulnerability
CVE ID : CVE-2024-9943 Published : Oct. 24, 2024, 8:15 a.m. 19 minutes ago Description : The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity:
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI