CVE-2026-3688
Received Received - Intake

Insecure Direct Object Reference in WCFM Membership WordPress Plugin

Vulnerability report for CVE-2026-3688, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wcfm membership to 2.11.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 2.11.10.

This vulnerability exists because the 'wcfmvm_membership_change' AJAX action does not properly validate whether a user has permission to modify other users.

As a result, an authenticated attacker with vendor level access or higher can change any user's role to 'wcfm_vendor' by altering their membership plan.

Impact Analysis

This vulnerability can allow an attacker with vendor level access to escalate privileges by changing other users' roles to 'wcfm_vendor'.

Such unauthorized role changes can lead to unauthorized access to vendor-specific features or data, potentially compromising the integrity and security of the marketplace.

The CVSS score of 8.1 indicates a high severity impact, with the potential for significant integrity and availability damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart