A Cross‑Site Request Forgery flaw in the SUMO Memberships for WooCommerce plugin allows an attacker to force a logged‑in user to execute privileged actions without consent. By crafting a forged request to the vulnerable endpoints, the attacker can modify membership settings, add or remove users, or grant themselves higher privileges, thereby compromising the integrity of the site’s membership management.

This issue affects the FantasticPlugins SUMO Memberships for WooCommerce plugin on all installations that use a version earlier than 7.8.0. No specific build is excluded; any instance running the plugin in that range is potentially vulnerable until the vendor releases a fix in version 7.8.0 or later.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that no widespread exploits are currently observed. The vulnerability is not listed in the CISA KEV catalog. Exploitation is likely to require the attacker to persuade an authorized user to visit a malicious site, or to rely on social‑engineering tactics. If successful, the attacker can make unauthorized changes to membership configurations with the privileges of the user who submitted the forged request, potentially leading to data exposure or service disruption.