Insecure Direct Object Reference in WCFM Membership Plugin for WooCommerce by WordPress
CVE-2026-3688

8.1HIGH

What is CVE-2026-3688?

The WCFM Membership plugin for WooCommerce is susceptible to an Insecure Direct Object Reference, allowing legitimate users with vendor access to modify the roles of other users. Specifically, the vulnerability lies in the 'wcfmvm_membership_change' AJAX action which fails to validate user permissions, enabling attackers to elevate another user’s role to 'wcfm_vendor' by altering their membership plan.

Affected Version(s)

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace 0 <= 2.11.10

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.