Description
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization checks in the WCFM Membership plugin for WordPress allow an attacker with access to the plugin's endpoints to read or modify data that should be restricted. The flaw is a classic example of CWE‑862, broken access control, and can lead to the compromise of membership information or the manipulation of vendor memberships, effectively enabling unauthorized privilege escalation.

Affected Systems

WC Lovers is affected by this vulnerability through its WCFM Membership plugin for WordPress. All releases up to and including version 2.11.10 are vulnerable; no later versions are listed as affected.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity. No EPSS score is available, so the exploitation likelihood remains uncertain, but the absence of a KEV listing suggests no widely known exploits yet. The likely attack vector is a web application attack where an attacker sends crafted HTTP requests to the plugin’s administrative endpoints without proper authorization checks. If a site hosts the plugin and a user can reach those endpoints, the risk of data exposure or unauthorized changes is significant, warranting immediate remediation.

Generated by OpenCVE AI on May 27, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WCFM Membership plugin to a version newer than 2.11.10 once an official fix is released.
  • If an upgrade is not yet available, disable or uninstall the plugin to eliminate the attack surface until the flaw is corrected.
  • Apply role‑based access controls in WordPress so that only users with the appropriate administrative privileges can access the plugin’s member‑management functions.

Generated by OpenCVE AI on May 27, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wclovers
Wclovers wcfm Membership
Wordpress
Wordpress wordpress
Vendors & Products Wclovers
Wclovers wcfm Membership
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.
Title WordPress WCFM Membership plugin <= 2.11.10 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wclovers Wcfm Membership
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:49:37.618Z

Reserved: 2026-04-29T09:05:35.592Z

Link: CVE-2026-42753

cve-icon Vulnrichment

Updated: 2026-05-27T10:49:32.484Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:21.760

Modified: 2026-05-27T11:16:21.760

Link: CVE-2026-42753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses