CVE-2026-3688 in WCFM Membership Plugininfo

Summary

by MITRE • 07/08/2026

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in the WCFM Membership plugin represents a critical insecure direct object reference issue that undermines the security model of the multivendor marketplace platform. This flaw exists within the core functionality that manages user memberships and permissions, specifically through the wcfmvm_membership_change AJAX endpoint that handles membership plan modifications. The vulnerability affects all versions up to and including 2.11.10, making it a widespread concern for WordPress sites utilizing this plugin in their WooCommerce multivendor environments. The issue stems from inadequate permission validation mechanisms that fail to verify whether an authenticated user has legitimate authorization to modify another user's membership status, creating a pathway for unauthorized privilege escalation.

The technical implementation of this vulnerability allows attackers with vendor-level access or higher to exploit the lack of proper access controls during AJAX operations. When an attacker invokes the wcfmvm_membership_change endpoint, the system does not perform adequate checks to ensure that the requesting user has permission to modify the target user's membership plan. This absence of validation creates a direct reference to user objects without proper authorization verification, enabling malicious actors to manipulate any user account within the system. The vulnerability specifically targets the role modification process, allowing attackers to elevate any user's privileges to wcfm_vendor status through simple membership plan changes.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally compromises the access control mechanisms that protect multivendor marketplaces. Attackers can leverage this flaw to gain unauthorized access to vendor dashboards, potentially accessing sensitive customer data, product information, and transaction records. The implications are particularly severe in marketplace environments where multiple vendors operate with varying levels of trust and responsibility, as an attacker could essentially create new vendor accounts with elevated privileges or modify existing vendor accounts to gain unauthorized access to the entire marketplace ecosystem. This vulnerability directly violates the principle of least privilege and undermines the security boundaries that protect different user roles within the platform.

Organizations using this plugin should implement immediate mitigations including updating to the latest version where the vulnerability has been addressed, implementing additional access controls through custom code or security plugins, and conducting thorough audits of user permissions and membership assignments. The vulnerability aligns with CWE-284 Access Control issues that specifically address improper access control mechanisms in software applications. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques where adversaries leverage insecure object references to gain elevated system privileges. Security teams should also consider implementing network-level monitoring to detect suspicious AJAX requests targeting the vulnerable endpoint and establish proper logging of membership plan changes to enable rapid incident response when such attacks occur.

Responsible

Wordfence

Reservation

03/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!