[webmaster.mid]

Hi,

I receive the hereafter alert form our premium-Wordpress-woocommerce hosting company KINSTA.

The vulnerability is listed here:
https://patchstack.com/database/vulnerability/dc-woocommerce-multi-vendor/wordpress-multivendorx-plugin-4-1-1-broken-access-control-vulnerability?_s_id=app

Seem that Patchstack team solved for me applying a patch but would be better to fix on your side.

Note that patchstack seem to have a security program for developers: https://patchstack.com/for-plugins/

Any quick fix ?

Thanks,

Matthieu

Hello,

We are writing to you today to notify you about a security vulnerability discovered in the MultiVendorX Marketplace plugin. We detected the plugin on one or more of your websites.

You can ignore this message if you have already deactivated MultiVendorX Marketplace.

The plugin has a vulnerability that makes it possible for unauthenticated visitors to perform actions with unknown impact. There is no fix available. Though the impact is unknown, we’re sending this notice because there’s not a fixed version of the plugin, so it’s best to discontinue use.

No fix is currently available, so we recommend deactivating the plugin immediately. You can reactivate and update the plugin if the author issues a fixed version in the future.

To deactivate the plugin, log in to the Admin section of your site, go to Plugins > Installed Plugins > MultiVendorX Marketplace, and click the “Deactivate” link under the plugin name.

This vulnerability may exist in both live and staging environments. We recommend that both be checked and that the plugin be deactivated.

We detected this vulnerability on February 5th, 2024, at 2:04 PM UTC, but due to the time difference between scanning for vulnerabilities and sending notifications, you may have already removed the plugins.

Attachments:

1. 

   2024-02-05_22-15-04.png
   

[Sangita Support Squad]

@webmaster.mid Thank you for bringing this to our attention. However, we currently lack any detailed information regarding the vulnerability issues you’ve mentioned. It would be great if you could provide us with the vulnerability issue report. This will enable our team to thoroughly investigate the matter and implement appropriate fixes on our end.

[webmaster.mid]

Hi Sangita,

Please contact Patchstack for more information about the vulnerability. The information is only disclosed to those who have permission to know, in this case, you.

https://patchstack.com/database/vulnerability/dc-woocommerce-multi-vendor/wordpress-multivendorx-plugin-4-1-1-broken-access-control-vulnerability?_s_id=app

[Sangita Support Squad]

Hello @webmaster.mid, we appreciate your prompt response.
We’ve reached out to the team but haven’t received any detailed information about the issue from their end.
It would be greatly appreciated if you could provide us with any data related to the issue. This will enable us to promptly investigate and implement a solution.

[webmaster.mid]

Seem that Pattchstack already send you information regading the Vulnerability. See hereafter.

Patchstack contact email is: sander.jurgens@patchstack.intercom-mail.com

————————————————
Sander from Patchstack <sander.jurgens@patchstack.intercom-mail.com>
Hello!
They have all the vulnerability details sent to them already (we contact vendors multiple times with details to fix it).
If they fail to find the emails, they can contact the support here (this is our only official support place)

I am not sure where they have turned to before..
Sander
Patchstack

[Sangita Support Squad]

We have earlier contacted them but did not receive any update from them. However, thanks for sharing the email id. We have sent an email to the team keeping you in cc. Once we hear about the error from their end, we will add a fix for that accordingly.

[Sangita Support Squad]

It’s been long and we have not heard back from you. We presume your query is resolved now. We are closing this thread.
If you need help or face issue in future please do create a new support thread.

[Author]

Posts