What the vulnerability does
01Description
Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.9.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Membership For WooCommerce plugin for WordPress does not properly check user permissions before allowing access to sensitive membership data. An unauthenticated attacker can read membership information, user details, and subscription records without logging in. This affects all versions up to 2.9.0. Site owners should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Read membership data, user details, and subscription records without authentication.
Potential impact on your site
04Site Impact
Membership and subscription data is exposed to anyone on the internet, including customer names, emails, and payment history.
Conditions required to exploit
05Prerequisites
None. The attacker needs only network access; no login or user interaction required.
Key dates
06Disclosure timeline
August 14, 2025
CVE published
May 12, 2026
Record updated