The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wclovers
Wclovers wcfm Membership – Woocommerce Memberships For Multivendor Marketplace Wordpress Wordpress wordpress |
|
| Vendors & Products |
Wclovers
Wclovers wcfm Membership – Woocommerce Memberships For Multivendor Marketplace Wordpress Wordpress wordpress |
Wed, 08 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan. | |
| Title | WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-08T11:35:40.708Z
Reserved: 2026-03-06T23:43:39.850Z
Link: CVE-2026-3688
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T13:30:03Z