NVD Vulnerability Detail

CVE-2024-9943

Summary	The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Publication Date	Oct. 24, 2024, 5:15 p.m.
Registration Date	Oct. 24, 2024, 8 p.m.
Last Update	Oct. 25, 2024, 9:56 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.wordfence.com/threat-intel/vulnerabilities/id/b950faf9-2122-42af-9f05-ec850767be32?source=cve
2	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L5258
3	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L6155
4	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L6009
5	https://plugins.trac.wordpress.org/changeset/3173238/dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-controller.php?old=3168957&old_path=dc-woocommerce-multi-vendor%2Ftrunk%2Fapi%2Fclass-mvx-rest-controller.php

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

JVN Vulnerability Information

WordPress 用 multivendorx におけるクロスサイトリクエストフォージェリの脆弱性

Title	WordPress 用 multivendorx におけるクロスサイトリクエストフォージェリの脆弱性
Summary	WordPress 用 multivendorx には、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 24, 2024, midnight
Registration Date	June 6, 2025, 5:47 p.m.
Last Update	June 6, 2025, 5:47 p.m.

Affected System

multivendorx

multivendorx 4.2.5 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-9943	https://www.cve.org/CVERecord?id=CVE-2024-9943
National Vulnerability Database (NVD)
2	CVE-2024-9943	https://nvd.nist.gov/vuln/detail/CVE-2024-9943

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-352	https://jvndb.jvn.jp/ja/cwe/CWE-352.html

その他

No	Name	URL
関連文書
1	plugins.trac.wordpress.org (class-mvx-rest-controller.php#L5258)	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L5258
2	plugins.trac.wordpress.org (class-mvx-rest-controller.php#L6009)	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L6009
3	plugins.trac.wordpress.org (class-mvx-rest-controller.php#L6155)	https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/4.2.1/api/class-mvx-rest-controller.php#L6155
4	plugins.trac.wordpress.org (class-mvx-rest-controller.php?old=3168957&old_path=dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-controller.php)	https://plugins.trac.wordpress.org/changeset/3173238/dc-woocommerce-multi-vendor/trunk/api/class-mvx-rest-controller.php?old=3168957&old_path=dc-woocommerce-multi-vendor%2Ftrunk%2Fapi%2Fclass-mvx-rest-controller.php
5	www.wordfence.com (b950faf9-2122-42af-9f05-ec850767be32?source=cve)	https://www.wordfence.com/threat-intel/vulnerabilities/id/b950faf9-2122-42af-9f05-ec850767be32?source=cve

Change Log

No	Changed Details	Date of change
1	[2025年06月06日] 掲載	June 6, 2025, 5:47 p.m.