CVE-2024-8289

Name of the Vulnerable Software and Affected Versions: MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress versions prior to 4.2.1

Description: The issue is related to an insufficient capability check on the update item permissions check and create item permissions check functions. This allows unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.

Recommendations: For versions prior to 4.2.1, update to version 4.2.1 to patch this flaw. As a temporary workaround, consider restricting access to the update item permissions check and create item permissions check functions until a patch is available. Avoid using these functions in the affected API endpoints until the issue is resolved.