CVE-2025-15147 in WCFM Membership Plugin
Summary
by MITRE • 02/10/2026
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2025-15147 affects the WCFM Membership plugin for WordPress, specifically targeting the WooCommerce Memberships for Multivendor Marketplace functionality. This issue represents a critical security flaw that undermines the integrity of user access controls within the plugin's membership payment processing system. The vulnerability exists in all versions up to and including 2.11.8, making a significant portion of users susceptible to unauthorized access and manipulation of payment data.
The technical root cause of this vulnerability stems from an insecure direct object reference flaw that manifests in the WCFMvm_Memberships_Payment_Controller::processing method. This flaw occurs when the plugin fails to properly validate user-controlled input parameters that determine which membership payments can be modified. The missing validation allows attackers to manipulate object references and access payment records that belong to other users within the system. This type of vulnerability is classified as CWE-639, which specifically addresses Insecure Direct Object Reference issues where applications fail to properly verify user access rights before allowing operations on objects.
The operational impact of this vulnerability is severe for multivendor marketplaces that rely on the WCFM Membership plugin for user management and payment processing. Authenticated attackers with subscriber-level access or higher can exploit this flaw to modify payment information belonging to other users, potentially leading to financial fraud, unauthorized access to premium membership features, and disruption of legitimate business operations. The vulnerability essentially allows privilege escalation within the membership payment system, where lower-privileged users can gain unauthorized access to higher-privileged user data.
This vulnerability aligns with several ATT&CK framework techniques including T1078 Valid Accounts and T1566 Phishing, as it exploits legitimate user accounts to perform unauthorized actions. The flaw essentially provides attackers with a pathway to manipulate payment data without requiring additional authentication mechanisms. From a security perspective, this represents a failure in the principle of least privilege, where proper access control validation should prevent users from accessing resources outside their designated scope. The vulnerability also demonstrates poor input validation practices that should be addressed through proper parameter sanitization and access control checks.
Organizations using this plugin should immediately implement mitigations including upgrading to the latest available version that addresses this vulnerability, implementing additional access controls, and monitoring for unauthorized payment modifications. System administrators should also consider implementing network segmentation and additional logging mechanisms to detect potential exploitation attempts. The vulnerability highlights the importance of thorough input validation and proper access control implementation in web applications, particularly those handling financial transactions and user membership data. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and custom code implementations.