CVE-2025-9054
MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via 'wcmlim_settings_ajax_handler'The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
We have discovered 84 live websites that are affected by CVE-2025-9054.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 84 live websites (100% of WooCommerce Multi Locations Inventory Management install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Sep 24, 2025
- Updated - Sep 24, 2025
Credits
- Thái An (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-9054 United States | 27 websites |
 Canada | 6 websites |
 Chile | 5 websites |
 Australia | 4 websites |
 France | 4 websites |
 Indonesia | 4 websites |
 South Africa | 4 websites |
 Russia | 3 websites |
 Belgium | 2 websites |
 Italy | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2025-9054| .com | 37 websites |
| .eu | 6 websites |
| .ca | 3 websites |
| .com.au | 3 websites |
| .ru | 2 websites |
| .be | 1 websites |
| .co.uk | 1 websites |
| .com.br | 1 websites |
| .cz | 1 websites |
| .fr | 1 websites |
Websites affected by CVE-2025-9054
Top websites that are affected by CVE-2025-9054. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****************.com | United States | **,*** | |
| ******.com | United States | ***,*** | |
| ***************.com | United States | *,***,*** | |
| **********.com | United States | *,***,*** | |
| ***************.com | Canada | *,***,*** | |
| **************.com | United States | *,***,*** | |
| ******.com |  Germany | *,***,*** | |
| ***********.com | United States | *,***,*** | |
| ********.cc | Belgium | *,***,*** | |
| *******.com | United States | *,***,*** |
FAQ
CVE-2025-9054 is Missing Authorization in WooCommerce Multi Locations Inventory Management
A total of 84 websites have been identified as vulnerable to CVE-2025-9054, based on global website indexing conducted by WebTechSurvey.
The WooCommerce Multi Locations Inventory Management is affected by the CVE-2025-9054 vulnerability.
WooCommerce Multi Locations Inventory Management versions up to and including 4.2.8 are vulnerable to CVE-2025-9054.