CVE-2026-3688

wclovers · WCFM Membership – WooCommerce Memberships for Multivendor Marketplace

The WCFM Membership plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to bypass authorization controls.

Executive summary

An Insecure Direct Object Reference vulnerability in the WCFM Membership plugin allows authenticated users to perform unauthorized actions, risking data integrity.

Vulnerability

This is an IDOR vulnerability where the plugin fails to perform adequate authorization checks on user-controlled keys. An authenticated user with low privileges can manipulate requests to access or modify data they are not authorized to interact with.

Business impact

This vulnerability can lead to unauthorized data manipulation or access within the multivendor marketplace. With a CVSS score of 8.1, the flaw significantly impacts the integrity of the platform, potentially allowing vendors to access or modify membership data belonging to others.

Remediation

Immediate Action: Immediately update the WCFM Membership plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor site traffic and application logs for unusual request patterns targeting membership or user management endpoints.

Compensating Controls: If a patch is not immediately applicable, implement a Web Application Firewall (WAF) rule to block unauthorized access attempts to plugin-specific API endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Plugin vulnerabilities in e-commerce environments are frequently targeted. Administrators must verify their current plugin version and apply the vendor-provided update immediately to prevent unauthorized access and potential business logic abuse.