WC Vendors Marketplace v2.4.5 has been released. We were informed of a medium level security vulnerability by the WP Scan team and quickly addressed the issue within 24 hours. We would like to thank Lana Codes for discovering and disclosing the vulnerability so that we were able to address it quickly and safely.
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
You can read the full disclosure on the WP Scan website here. If you have not updated now, we recommend you do this as soon as possible. Although this requires specific conditions to be met, a bad actor with contributor role or above could cause an issue.
Fixed: Escaped attributes to address security vulnerability report (#882)
This update should show up in your plugin updates, however, if it doesn’t, you can download it from your my-account/downloads page.
If you have any questions or issues, be sure to send in a ticket.