Description
Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.8.1.
Published: 2025-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an authorization flaw that permits users without the necessary permissions to invoke privileged functions within the Membership For WooCommerce plugin. An attacker who can trigger these functions can potentially modify membership settings or gain additional administrative capabilities, thereby compromising the confidentiality and integrity of the site’s membership data.

Affected Systems

WordPress sites running the WP Swings Membership For WooCommerce plugin version 2.8.1 or earlier are impacted. The issue is present from the earliest released version up through 2.8.1. No other versions are affected according to the data provided.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of <1% suggests a low probability of exploitation at this time. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web‑based approach, where an attacker could access restricted plugin endpoints without proper authorization, potentially allowing unauthorized modification of membership data.

Generated by OpenCVE AI on April 30, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Membership For WooCommerce plugin to the latest patched version (>=2.8.2).
  • If an update is not feasible, restrict the plugin’s administrative endpoints to trusted administrator roles and disable them for all other users.
  • Continuously monitor the site’s audit logs for anomalous access to the plugin’s privileged functions and investigate any unauthorized changes promptly.

Generated by OpenCVE AI on April 30, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17540 Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1. Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.8.1.
Title WordPress Membership For WooCommerce <= 2.8.1 - Broken Access Control Vulnerability WordPress Membership For WooCommerce plugin <= 2.8.1 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00042}

 epss

{'score': 0.00045}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1.
Title WordPress Membership For WooCommerce <= 2.8.1 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wpswings Membership For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.720Z

Reserved: 2025-06-04T09:41:22.714Z

Link: CVE-2025-49265

cve-icon Vulnrichment

Updated: 2025-06-09T19:22:45.670Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:45.063

Modified: 2026-04-23T15:31:21.200

Link: CVE-2025-49265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses