Vulnerabilities and security researches forwc-vendors wc-vendors

Jun 25, 2026

CVE, Research URL: CVE-2026-54838
Home page URL: Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Application: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Date: -
Research Description: WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors [wc-vendors] < 2.6.9 CVE-2026-54838
Affected versions: max 2.6.9.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-12130
Home page URL: Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Application: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Date: Dec 05, 2025
Research Description: The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.6.4.1.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-49263
Home page URL: Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Application: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Date: Jun 06, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WCVendors WC Vendors Marketplace wc-vendors allows Blind SQL Injection.This issue affects WC Vendors Marketplace: from n/a through <= 2.5.6.
Affected versions: max 2.5.7.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-48327
Home page URL: Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Application: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Date: Dec 20, 2023
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Vendors WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors.This issue affects WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors: from n/a through 2.4.7.
Affected versions: max 2.4.7.1.
Status: vulnerable

CVE, Research URL: CVE-2023-0072
Home page URL: Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Application: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors
Date: Feb 07, 2023
Research Description: The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 2.4.5.
Status: vulnerable