Skip to main content

WC Lovers WCFM Membership CVE-2026-42753

| EUVDEUVD-2026-32200 HIGH
Missing Authorization (CWE-862)
2026-05-27 audit@patchstack.com GHSA-fq8f-6hrp-6mfv
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:37 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.

AnalysisAI

Broken access control in the WCFM Membership (wc-multivendor-membership) WordPress plugin by WC Lovers, affecting all versions up to and including 2.11.10, lets remote attackers reach functionality that should be authorization-gated. Because the vulnerable path is exposed over the network with no privileges or user interaction required (CVSS 7.3), unauthenticated actors can exploit incorrectly enforced access-control levels, though the impact to confidentiality, integrity, and availability is rated Low for each. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low at 0.04% (11th percentile).

Share

CVE-2026-42753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy