The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify shipping method details/products, delete arbitrary posts, as well as lead to privilege escalation.
CPE | Name | Operator | Version |
---|---|---|---|
wc-multivendor-marketplace | lt | 3.4.12 |