Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10.
AnalysisAI
Broken access control in the WCFM Membership (wc-multivendor-membership) WordPress plugin by WC Lovers, affecting all versions up to and including 2.11.10, lets remote attackers reach functionality that should be authorization-gated. Because the vulnerable path is exposed over the network with no privileges or user interaction required (CVSS 7.3), unauthenticated actors can exploit incorrectly enforced access-control levels, though the impact to confidentiality, integrity, and availability is rated Low for each. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low at 0.04% (11th percentile).
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32200
GHSA-fq8f-6hrp-6mfv