CVE-2025-0493

Name of the Vulnerable Software and Affected Versions MultiVendorX plugin versions up to 4.2.14

Description The issue allows unauthenticated attackers to include PHP files on the server via the tabname parameter, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.

Recommendations For MultiVendorX plugin versions up to 4.2.14, update the plugin to a version later than 4.2.14 to resolve the issue. As a temporary workaround, consider restricting access to the tabname parameter to minimize the risk of exploitation.