CVE-2026-3688
wclovers · WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
The WCFM Membership plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to bypass authorization controls.
Executive summary
An Insecure Direct Object Reference vulnerability in the WCFM Membership plugin allows authenticated users to perform unauthorized actions, risking data integrity.
Vulnerability
This is an IDOR vulnerability where the plugin fails to perform adequate authorization checks on user-controlled keys. An authenticated user with low privileges can manipulate requests to access or modify data they are not authorized to interact with.
Business impact
This vulnerability can lead to unauthorized data manipulation or access within the multivendor marketplace. With a CVSS score of 8.1, the flaw significantly impacts the integrity of the platform, potentially allowing vendors to access or modify membership data belonging to others.
Remediation
Immediate Action: Immediately update the WCFM Membership plugin to the latest available version provided by the vendor.
Proactive Monitoring: Monitor site traffic and application logs for unusual request patterns targeting membership or user management endpoints.
Compensating Controls: If a patch is not immediately applicable, implement a Web Application Firewall (WAF) rule to block unauthorized access attempts to plugin-specific API endpoints.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Plugin vulnerabilities in e-commerce environments are frequently targeted. Administrators must verify their current plugin version and apply the vendor-provided update immediately to prevent unauthorized access and potential business logic abuse.