CVE-2025-15147
Awaiting Analysis Awaiting Analysis - Queue
Insecure Direct Object Reference in WCFM Membership Plugin Allows Payment Modification

Publication date: 2026-02-10

Last updated on: 2026-02-10

Assigner: Wordfence

Description
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15147
EUVD
EUVD-2025-207189
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wcfm membership to 2.11.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress, specifically in versions up to and including 2.11.8. It is an Insecure Direct Object Reference (IDOR) issue found in the 'WCFMvm_Memberships_Payment_Controller::processing' function. The problem arises because the plugin does not properly validate a user-controlled key, allowing authenticated users with Subscriber-level access or higher to modify membership payments of other users.

Impact Analysis

This vulnerability can allow attackers who have at least Subscriber-level access to alter the membership payments of other users. This could lead to unauthorized changes in membership status or payment records, potentially causing financial discrepancies, unauthorized access to membership benefits, or disruption of service for legitimate users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart