CVE-2024-8289: 
WordPress vulnerability analysis and mitigation

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress contains a critical privilege escalation and account takeover vulnerability (CVE-2024-8289) discovered in September 2024. The vulnerability affects all versions up to and including 4.2.0, stemming from insufficient capability checks in the updateitempermissionscheck and createitempermissionscheck functions (NVD).

The vulnerability is caused by insufficient capability checks in two key functions within the plugin's REST API controller. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. The vulnerability is classified under CWE-862 (Missing Authorization) (Wordfence).

The vulnerability allows unauthenticated attackers to perform multiple unauthorized actions: change the password of any user with the vendor role, create new users with vendor privileges, and demote other users including administrators to the vendor role. This represents a significant security risk as it enables complete account takeover and privilege manipulation within the affected WordPress installations (NVD).

Website administrators running the MultiVendorX plugin should immediately update to version 4.2.1 or later, which contains patches for this vulnerability (NVD).