CVE-2025-9054
Published: 24 September 2025
Summary
CVE-2025-9054 is a critical-severity Missing Authorization (CWE-862) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the missing capability check on the wcmlim_settings_ajax_handler that allows unauthenticated data modification.
Identifies, reports, and corrects flaws like the missing authorization in the plugin in a timely manner through patching, preventing exploitation.
Employs least privilege to restrict the impact of privilege escalation attempts via unauthorized changes to default user roles and registration settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing capability check on public AJAX handler enables remote unauthenticated exploitation of web app (T1190) for unauthorized option changes that directly achieve privilege escalation (T1068) via account role manipulation (T1098).
NVD Description
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and…
more
including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Deeper analysisAI
CVE-2025-9054 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in the MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress, affecting all versions up to and including 4.2.8. It stems from a missing capability check (CWE-862) on the 'wcmlim_settings_ajax_handler' function, enabling unauthorized modification of WordPress site data and leading to privilege escalation.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the affected AJAX handler, they can update arbitrary WordPress options, such as changing the default role for new user registrations to administrator and enabling open registration. This allows attackers to create accounts with full administrative access to the site.
Mitigation details are available in the plugin's changelog on CodeCanyon (https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586#item-description__changelog) and Wordfence's threat intelligence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6a04e6ad-9365-4cb5-a0a0-82e047647d6b?source=cve), which cover patches and remediation steps for vulnerable installations.
Details
- CWE(s)