Introduction
Attackers can gain full administrative access to WooCommerce-powered e-commerce sites by exploiting a single missing authorization check in the MultiLoca Multi Locations Inventory Management plugin. This issue affects all plugin versions up to and including 4.2.8, putting inventory data, customer records, and business operations at risk for any WordPress site using this plugin.
MultiLoca WooCommerce Multi Locations Inventory Management is a commercial plugin distributed via CodeCanyon and developed by Techspawn Solutions. It is designed for businesses managing inventory across multiple locations within WooCommerce. The plugin is widely used by e-commerce stores seeking advanced inventory features beyond WooCommerce's native capabilities.
Technical Information
CVE-2025-9054 is caused by a missing capability check in the wcmlim_settings_ajax_handler function. This function is responsible for handling AJAX requests related to plugin settings. In secure WordPress plugin development, such functions must verify the permissions of the requester, typically using current_user_can() or similar checks. The absence of this check allows any unauthenticated user to invoke the handler via the wp-admin/admin-ajax.php endpoint.
An attacker can craft an HTTP POST request to the AJAX endpoint with the action parameter set to trigger wcmlim_settings_ajax_handler. The request body can include arbitrary WordPress option names and values, which the vulnerable function will update directly. The most severe exploitation involves setting the users_can_register option to true and the default_role option to administrator. This enables public user registration and assigns new users full administrative privileges, resulting in immediate privilege escalation and site takeover.
This vulnerability is classified under CWE-862 (Missing Authorization). No code snippets are provided in public sources, but the vulnerability mechanism is confirmed by multiple advisories.
Affected Systems and Versions
- Product: MultiLoca WooCommerce Multi Locations Inventory Management plugin for WordPress
- Affected versions: All versions up to and including 4.2.8
- Vulnerable configuration: Any WordPress installation with the affected plugin version active
Vendor Security History
Techspawn Solutions, the developer of MultiLoca, provides documentation and support for the plugin but has limited public information regarding their security response history. The vulnerability reflects a common issue in WordPress plugin development: missing authorization checks in AJAX handlers. Similar vulnerabilities have been exploited in other WordPress plugins, often leading to rapid site compromise.