CVE-2025-9054
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | woocommerce_multi_locations_inventory_management | 4.2.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress, where a missing capability check in the 'wcmlim_settings_ajax_handler' function allows unauthenticated attackers to modify data. Specifically, attackers can update arbitrary options on the WordPress site, including changing the default user registration role to administrator and enabling user registration. This enables attackers to gain administrative access to the site without authentication.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation by allowing attackers to gain administrative access to your WordPress site. This means attackers can control the site, modify content, install malicious code, steal data, or disrupt services, resulting in a complete compromise of the affected website.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the MultiLoca - WooCommerce Multi Locations Inventory Management plugin to a version later than 4.2.8 where the issue is fixed. Additionally, disable user registration on your WordPress site until the plugin is updated, and review user roles to ensure no unauthorized administrator accounts have been created.