PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12941 wcmp CVE debrief

The MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to SQL Injection via the 'order_by' parameter. This allows authenticated attackers with subscriber-level access to append SQL queries, potentially extracting sensitive database information. The vulnerability has a CVSS score of 6.5 and is considered medium severity. The default store approval setting allows self-registration as a store owner, which enhances exploitability. WordPress site administrators using the MultiVendorX plugin, especially those with subscriber-level users, should prioritize updating to a patched version.

Vendor
wcmp
Product
MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

WordPress site administrators using the MultiVendorX plugin, especially those with subscriber-level users, should prioritize updating to a patched version. Site owners should review their store approval settings and consider restricting access to the vulnerable transactions endpoint. Security teams should monitor for suspicious database queries and implement additional security measures for subscriber-level users.

Technical summary

The MultiVendorX plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping of the 'order_by' parameter and lack of preparation on existing SQL queries. Authenticated attackers with subscriber-level access can append additional SQL queries, potentially extracting sensitive information from the database. The vulnerability is exacerbated by the default store approval setting, which allows self-registration as a store owner and grants the edit_stores capability required to reach the vulnerable transactions endpoint.

Defensive priority

Medium priority due to the CVSS score of 6.5 and the potential for sensitive information disclosure.

Recommended defensive actions

  • Update the MultiVendorX plugin to the latest version
  • Restrict access to the vulnerable transactions endpoint
  • Monitor for suspicious database queries
  • Implement additional security measures for subscriber-level users
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability is confirmed by the CVE record and NVD detail. The exploitability is enhanced by the default store approval setting allowing self-registration as a store owner. Evidence limits suggest that additional verification is required to confirm the scope of affected systems and to assess potential impact on sensitive data. Defenders should verify the configuration of store approval settings and monitor for suspicious database queries. Additional review of the plugin's transactions endpoint and database schema may be necessary to fully understand the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T04:17:16.247Z and has not been modified since then.