CVE-2025-9054

Name of the Vulnerable Software and Affected Versions MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress versions prior to 4.2.9

Description The software is susceptible to unauthorized data modification, potentially allowing attackers to escalate privileges. Specifically, a missing capability check within the wcmlim settings ajax handler function allows unauthenticated attackers to update arbitrary options on the WordPress site. This can be exploited to modify the default role for registration to administrator and enable user registration, granting attackers administrative access.

Recommendations Update to version 4.2.9 or later.