Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by webwizardsdev
CVE-2024-13519 (GCVE-0-2024-13519)
Vulnerability from cvelistv5 – Published: 2025-01-18 07:05 – Updated: 2026-04-08 16:52
VLAI?
Title
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution <= 1.9.80 - Authenticated (Shop Manager+) Stored Cross-Site Scripting
Summary
The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.9.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webwizardsdev | MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution |
Affected:
0 , ≤ 1.9.80
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T21:26:19.730866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T21:26:23.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution",
"vendor": "webwizardsdev",
"versions": [
{
"lessThanOrEqual": "1.9.80",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Karolina Jankowska"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin\u0027s settings in all versions up to, and including, 1.9.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:17.715Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5061e0be-1785-476a-9528-d6f95656bd61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3180752%40marketking-multivendor-marketplace-for-woocommerce\u0026new=3180752%40marketking-multivendor-marketplace-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution \u003c= 1.9.80 - Authenticated (Shop Manager+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13519",
"datePublished": "2025-01-18T07:05:08.206Z",
"dateReserved": "2025-01-17T18:34:32.469Z",
"dateUpdated": "2026-04-08T16:52:17.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12413 (GCVE-0-2024-12413)
Vulnerability from cvelistv5 – Published: 2024-12-25 03:21 – Updated: 2026-04-08 16:47
VLAI?
Title
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution <= 2.0.00 - Missing Authorization
Summary
The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking_delete_team_member', 'marketkingrejectuser', 'marketking_save_profile_settings', and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webwizardsdev | MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution |
Affected:
0 , ≤ 2.0.00
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-27T15:17:26.044618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-27T15:17:35.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution",
"vendor": "webwizardsdev",
"versions": [
{
"lessThanOrEqual": "2.0.00",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like \u0027marketking_delete_team_member\u0027, \u0027marketkingrejectuser\u0027, \u0027marketking_save_profile_settings\u0027, and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:47:31.164Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb809c9-7167-4333-969f-0141c96342bd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3212032/marketking-multivendor-marketplace-for-woocommerce/trunk/includes/class-marketking-core.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MarketKing \u2014 Ultimate WooCommerce Multivendor Marketplace Solution \u003c= 2.0.00 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12413",
"datePublished": "2024-12-25T03:21:31.601Z",
"dateReserved": "2024-12-10T15:41:24.508Z",
"dateUpdated": "2026-04-08T16:47:31.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3126 (GCVE-0-2023-3126)
Vulnerability from cvelistv5 – Published: 2023-06-07 01:51 – Updated: 2026-04-08 17:25
VLAI?
Title
B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Information Disclosure
Summary
The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'b2bkingdownloadpricelist' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to retrieve the full pricing list of all products on the site.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webwizardsdev | B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More |
Affected:
0 , ≤ 4.6.00
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:07.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e3ac14-1421-49f0-9c60-7f7d5c9d7654?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-b2bking-plugin/"
},
{
"tags": [
"x_transferred"
],
"url": "https://woocommerce-b2b-plugin.com/changelog/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:27:11.863480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:50:30.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "B2BKing \u2014 Ultimate WooCommerce B2B and Wholesale Plugin \u2014 Wholesale Prices, Bulk Order Form \u0026 More",
"vendor": "webwizardsdev",
"versions": [
{
"lessThanOrEqual": "4.6.00",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027b2bkingdownloadpricelist\u0027 function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to retrieve the full pricing list of all products on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:26.477Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2e3ac14-1421-49f0-9c60-7f7d5c9d7654?source=cve"
},
{
"url": "https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-b2bking-plugin/"
},
{
"url": "https://woocommerce-b2b-plugin.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "B2BKing \u003c= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3126",
"datePublished": "2023-06-07T01:51:44.695Z",
"dateReserved": "2023-06-06T13:19:00.656Z",
"dateUpdated": "2026-04-08T17:25:26.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3125 (GCVE-0-2023-3125)
Vulnerability from cvelistv5 – Published: 2023-06-07 01:51 – Updated: 2026-04-08 17:16
VLAI?
Title
B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Price Modification
Summary
The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'b2bking_save_price_import' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to modify the pricing of any product on the site.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webwizardsdev | B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More |
Affected:
0 , ≤ 4.6.00
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:07.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3f2c4c3-73d6-4b3b-8eb3-c494f52dc183?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-b2bking-plugin/"
},
{
"tags": [
"x_transferred"
],
"url": "https://woocommerce-b2b-plugin.com/changelog/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:27:32.795065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:51:00.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "B2BKing \u2014 Ultimate WooCommerce B2B and Wholesale Plugin \u2014 Wholesale Prices, Bulk Order Form \u0026 More",
"vendor": "webwizardsdev",
"versions": [
{
"lessThanOrEqual": "4.6.00",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027b2bking_save_price_import\u0027 function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to modify the pricing of any product on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:50.892Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3f2c4c3-73d6-4b3b-8eb3-c494f52dc183?source=cve"
},
{
"url": "https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-b2bking-plugin/"
},
{
"url": "https://woocommerce-b2b-plugin.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "B2BKing \u003c= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Price Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3125",
"datePublished": "2023-06-07T01:51:40.160Z",
"dateReserved": "2023-06-06T13:12:53.381Z",
"dateUpdated": "2026-04-08T17:16:50.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}