Description
Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.9.0.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Swings Membership For WooCommerce contains a missing authorization flaw that allows an attacker to perform actions that are not properly protected by access control lists. The vulnerability is an improper privilege assignment (CWE‑862) and can expose or modify sensitive configuration or management operations without requiring the proper permissions, thereby risking confidentiality, integrity, or availability of site data.

Affected Systems

All releases of the WP Swings Membership For WooCommerce plugin from the initial version through 2.9.0 are affected, as the flaw exists in every version up to and including 2.9.0.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact if exploited, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker exploiting the plugin’s administrative interfaces, either by using valid site credentials or, if the plugin’s endpoints are exposed, by unauthenticated access. The flaw permits bypassing normal role checks, allowing privileged operations to be performed by unauthorized users.

Generated by OpenCVE AI on April 30, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Membership For WooCommerce plugin to the latest version released by the vendor that fixes the missing authorization flaw
  • If an immediate update is not possible, enforce role-based access controls on the plugin’s protected endpoints so that only users with the required WordPress roles can reach them
  • Review and adjust the site’s user role configuration to ensure that only administrators or designated membership managers have permissions to access the plugin’s configuration and restriction pages

Generated by OpenCVE AI on April 30, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24702 Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.9.0. Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.9.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 14 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings membership For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings membership For Woocommerce

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.9.0.
Title WordPress Membership For WooCommerce Plugin <= 2.9.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Membership For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.991Z

Reserved: 2025-07-28T10:55:57.300Z

Link: CVE-2025-54692

cve-icon Vulnrichment

Updated: 2025-08-14T17:52:27.125Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:50.510

Modified: 2026-04-23T15:32:50.097

Link: CVE-2025-54692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses