Skip to main content

WCFM Membership CVE-2026-3688

| EUVDEUVD-2026-42220 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-08 Wordfence GHSA-2jfc-5xjv-8mv7
8.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.5 MEDIUM

Network AJAX action with low complexity and an existing vendor account (PR:L); high integrity from arbitrary role changes, no confidentiality, and availability rated N since a role change is fundamentally an integrity effect (NVD assigned A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:40 vuln.today
CVE Published
Jul 08, 2026 - 11:35 nvd
HIGH 8.1

DescriptionCVE.org

The WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

AnalysisAI

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as vendor-level user
Delivery
Send crafted wcfmvm_membership_change AJAX request
Exploit
Substitute target user ID and plan
Execution
Server skips ownership check (IDOR)
Impact
Victim role reassigned to wcfm_vendor

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold an authenticated account with vendor-level access or above on a site running WCFM Membership 2.11.10 or earlier, and the site must expose the multivendor membership functionality (the 'wcfmvm_membership_change' AJAX action). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H describes a network-reachable, low-complexity attack requiring only low privileges (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or purchases a low-privileged vendor account on a WCFM-powered multivendor marketplace, then sends a crafted authenticated request invoking the 'wcfmvm_membership_change' AJAX action while substituting the target user's ID and a membership plan of their choosing. Because ownership is never validated, the server changes the victim's WordPress role to 'wcfm_vendor', letting the attacker tamper with arbitrary accounts. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the corrective change is committed in the WordPress plugin SVN repository at changeset 3520777 (https://plugins.trac.wordpress.org/changeset/3520777/wc-multivendor-membership), so administrators should update WCFM Membership to the latest available release beyond 2.11.10 as soon as it is published and review the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8a934ccd-9330-4585-9994-838940d24980?source=cve for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit current plugin version across all instances; identify all active vendors with marketplace access; document current vendor roster. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy