cleantalk
Vulnerabilities and Security Researches

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce, CVE-2023-4960

CVE, Research URL

CVE-2023-4960

Home page URL

Security reports for WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Application

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce

Published on
Jan 11, 2024
Research Description
The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.6.3.
Status
vulnerable
Previous vulnerability researches
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2024-44009) , Sep 19, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2026-1722) , Apr 15, 2026
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2022-4936) , Jun 07, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2022-4935) , Jun 07, 2024
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce (CVE-2021-24849) , Jun 07, 2024
New vulnerability
VI: Include Post By (CVE-2026-5717) , Apr 17, 2026
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Petje.af (CVE-2026-4002) , Apr 17, 2026
LinkedIn SC (CVE-2026-0812) , Apr 17, 2026
Coachific Shortcode (CVE-2026-4005) , Apr 17, 2026