Description
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
Published: 2026-02-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Financial loss via unauthorized refunds
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference in the WCFM Marketplace WordPress plugin. It is a CWE‑862 (Missing Authorization Check) vulnerability. The AJAX controller that handles refund requests does not perform an authorization check, so anyone can send a request with an arbitrary order and item identifier to create a refund entry. When an attacker triggers this, the refund record appears as if created by the rightful vendor, potentially leading to a financial loss if the plugin’s automatic approval setting is enabled.

Affected Systems

This weakness affects all releases of the WCFM Marketplace plugin from its initial version through 3.7.0. The product is offered by the vendor wclovers and is used to create a multi‑vendor marketplace within WooCommerce sites. No other versions beyond 3.7.0 are listed as vulnerable in the supplied data, and no other vendors are named.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score, now less than 1 %, indicates that the probability of exploitation is low as of the latest data. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that attackers reach the vulnerable endpoint without authentication, using a crafted AJAX call over HTTP or HTTPS. If the plugin’s automatic refund approval is turned on, the attacker could achieve a fully automated refund, which could be abused to generate unnecessary payouts.

Generated by OpenCVE AI on April 16, 2026 at 01:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WCFM Marketplace plugin to a non‑vulnerable version newer than 3.7.0 that includes the missing authorization check for refund requests.
  • If an update is not immediately possible, disable the automatic refund approval setting in the plugin to prevent unsigned refunds from being processed.
  • Restrict access to the refund request endpoint by ensuring it is only reachable by authenticated vendor users, or temporarily disable the refund feature until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 01:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers wcfm Marketplace – Multivendor Marketplace For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers wcfm Marketplace – Multivendor Marketplace For Woocommerce
Wordpress
Wordpress wordpress

Tue, 10 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
Title WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wclovers Wcfm Marketplace – Multivendor Marketplace For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:38.377Z

Reserved: 2026-01-30T20:26:54.350Z

Link: CVE-2026-1722

cve-icon Vulnrichment

Updated: 2026-02-10T15:34:40.447Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T08:15:56.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses