CVE-2022-2657

Name of the Vulnerable Software and Affected Versions Multivendor Marketplace Solution for WooCommerce WordPress plugin versions prior to 3.8.12

Description The issue is related to a lack of authorization and CSRF protection in multiple AJAX actions. This could allow authenticated users, such as subscribers, to perform certain actions like suspending vendors or updating arbitrary order status. Additionally, other unauthenticated attacks are possible, either directly or via CSRF.

Recommendations For versions prior to 3.8.12, update to version 3.8.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable AJAX actions until a patch is available. Restrict access to the plugin's functionality for low-privileged users, such as subscribers, to minimize the risk of exploitation.