Wclovers Wcfm Marketplace
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Wclovers Wcfm Marketplace.
By the Year
In 2026 there have been 0 vulnerabilities in Wclovers Wcfm Marketplace. Last year, in 2025 Wcfm Marketplace had 1 security vulnerability published. Right now, Wcfm Marketplace is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.90 |
| 2024 | 2 | 6.75 |
| 2023 | 2 | 7.55 |
It may take a day or so for new Wcfm Marketplace vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wclovers Wcfm Marketplace Security Vulnerabilities
Missing Auth in WC Lovers WCFM Marketplace (<=3.6.15)
CVE-2025-64631
4.9 - Medium
- December 16, 2025
Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.
AuthZ
WCFM Marketplace 3.6.10 Reflected XSS via Unescaped Input
CVE-2024-44009
7.1 - High
- September 17, 2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through <= 3.6.11.
XSS
Stored XSS in WCFM Marketplace (3.6.2) via wcfm_stores shortcode
CVE-2023-4960
6.4 - Medium
- January 11, 2024
The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WCFM Marketplace WP Plugin 3.x CSRF via missing nonce checks (CVE-2022-4936)
CVE-2022-4936
6.3 - Medium
- April 05, 2023
The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.
Session Riding
WCFM Marketplace WP Plugin 3.4.11 Unauthorized AJAX Access & Privilege Escalation
CVE-2022-4935
8.8 - High
- April 05, 2023
The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action).
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Wclovers Wcfm Marketplace or by Wclovers? Click the Watch button to subscribe.
