A critical vulnerability has been identified in The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress. This flaw allows a low-privileged attacker to gain full administrative control over an affected website by exploiting a missing security check. Successful exploitation could lead to complete system compromise, data theft, and significant reputational damage.

The vulnerability is a privilege escalation caused by a missing capability check within the plugin's code. This security flaw fails to verify if a user has the appropriate permissions before executing a sensitive function. An authenticated attacker with low-level privileges, such as a subscriber, can craft a specific request to this function to modify data and grant their own account administrative rights, leading to a full compromise of the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for severe damage. A successful attack could result in a complete takeover of the organization's website, leading to the theft of sensitive customer information, financial data, and intellectual property. Further impacts include website defacement, distribution of malware to visitors, significant reputational harm, and potential regulatory fines for data breaches.

Immediate Action: Immediately update The MultiLoca - WooCommerce Multi Locations Inventory Management plugin to the latest patched version provided by the vendor. After applying the update, thoroughly review user accounts for any unauthorized or suspicious new administrative users created prior to the patch.

Proactive Monitoring: Monitor web server and application logs for unusual POST requests to WordPress AJAX endpoints (admin-ajax.php) or other plugin-specific functions. Implement file integrity monitoring to detect unauthorized changes to plugin files or the WordPress core. Scrutinize access logs for patterns indicative of reconnaissance or exploitation attempts originating from unexpected IP addresses.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with virtual patching rules designed to block exploit attempts against this specific vulnerability. As a temporary measure, disabling the plugin would remove the attack vector, but this may impact business operations. Enforcing the principle of least privilege for all user accounts can also help limit the initial attack surface.

Public Exploit Available: False

This vulnerability poses a critical and immediate threat to the security of any website using the affected plugin. The high CVSS score indicates that an attacker can easily and reliably compromise a vulnerable system with minimal effort. Although not yet listed on the CISA KEV catalog, its severity demands an urgent response. We strongly recommend that all organizations patch this vulnerability immediately to prevent a complete compromise of their web infrastructure.