CVE-2026-1722

Awaiting Analysis Awaiting Analysis - Queue

IDOR Vulnerability in WCFM Marketplace Plugin Enables Refund Fraud

Publication date: 2026-02-10

Last updated on: 2026-02-10

Assigner: Wordfence

Description

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-10

Last Modified

2026-02-10

Generated

2026-06-16

AI Q&A

2026-02-10

EPSS Evaluated

2026-06-14

NVD

CVE-2026-1722

EUVD

EUVD-2026-6878

Affected Vendors & Products

Vendor	Product	Version / Range
wcfm	marketplace	to 3.7.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

Executive Summary

The vulnerability exists in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress, specifically in all versions up to and including 3.7.0. It is an Insecure Direct Object Reference (IDOR) issue caused by the lack of authorization checks in the `wcfm-refund-requests-form` AJAX controller.

This means that unauthenticated attackers can exploit this flaw to create arbitrary refund requests for any order ID and item ID without proper permission.

Impact Analysis

This vulnerability can lead to financial loss because attackers can submit refund requests for orders they do not own.

If the plugin settings allow automatic refund approval, these unauthorized refund requests could be processed without manual intervention, resulting in unauthorized refunds.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin to a version later than 3.7.0 where the authorization checks in the `wcfm-refund-requests-form` AJAX controller are properly implemented.

If an update is not immediately available, consider disabling the refund request functionality or the affected AJAX controller to prevent unauthenticated attackers from creating arbitrary refund requests.

Additionally, review your plugin settings to ensure that automatic refund approval is disabled to reduce the risk of financial loss.

Hi! I’m here to help you understand CVE-2026-1722. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1722

IDOR Vulnerability in WCFM Marketplace Plugin Enables Refund Fraud

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart