Description
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Published: 2026-02-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Direct Object Reference enabling modification of other users' membership payments
Action: Update Plugin
AI Analysis

Impact

The flaw is an IDOR in the WCFM Membership plugin that allows a user to alter any other customer’s payment record by supplying a tampered identifier to the payment controller. This violates data integrity, potentially enabling unauthorized changes to membership billing, fraud, or service disruption. It is a moderate risk flaw with a CVSS score of 4.3 because it only compromises account integrity and requires an authenticated user.

Affected Systems

WordPress sites running the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin version 2.11.8 or older are affected. The plugin is developed and maintained by WCLovers.

Risk and Exploitability

The vulnerability can only be exploited by an authenticated user with at least a Subscriber role, meaning the attacker must have or compromise a legitimate account. No remote code execution or privileged escalation is involved. The EPSS score of less than 1% indicates a very low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack path is simple: send a crafted request to the payment processing endpoint without proper ownership validation. The CVSS score reflects the moderate impact and limited attacker capability.

Generated by OpenCVE AI on April 20, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WCFM Membership plugin to the latest version that contains the IDOR fix or apply any vendor‐supplied patch if available.
  • Restrict the Subscriber role so it no longer has permission to invoke the payment controller or modify membership payments; grant this ability only to higher roles such as Editor or Administrator.
  • Enable or review WordPress audit logs and monitoring for unauthorized changes to payment records, investigating any anomalies promptly.

Generated by OpenCVE AI on April 20, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers wcfm Membership – Woocommerce Memberships For Multivendor Marketplace
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers wcfm Membership – Woocommerce Memberships For Multivendor Marketplace
Wordpress
Wordpress wordpress

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Title WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wclovers Wcfm Membership – Woocommerce Memberships For Multivendor Marketplace
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:40.486Z

Reserved: 2025-12-27T13:25:09.137Z

Link: CVE-2025-15147

cve-icon Vulnrichment

Updated: 2026-02-10T16:47:55.555Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T00:16:04.407

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses