CVE-2025-4101: 
WordPress vulnerability analysis and mitigation

The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress contains a vulnerability (CVE-2025-4101) discovered in all versions up to and including 4.2.22. The vulnerability was disclosed on May 17, 2025, and involves a misconfigured capability check on the 'deletefpmproduct' function that allows unauthorized data deletion (NVD, Wiz).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 Base Score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue exists in the capability check implementation of the 'deletefpmproduct' function, which fails to properly validate user permissions (NVD, Rapid7).

The vulnerability allows authenticated attackers with Contributor-level access or higher to delete arbitrary posts, pages, attachments, and products from the WordPress installation. This represents a significant risk to data integrity and content management (Wiz).

The vulnerability was partially addressed in version 4.2.22 of the plugin. Users are advised to update to this version or later to mitigate the risk. Site administrators should also review and restrict user roles and permissions to minimize potential exploitation (NVD).