CVE-2026-3688 HIGH

CVE-2026-3688: WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite

Vendor Wclovers
Product WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Weakness CWE-639 · IDOR
Published July 8, 2026
Last update July 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.

Explanation of Vulnerability in Simple Terms

02Summary

WCFM Membership plugin versions up to 2.11.10 contain an authorization flaw that allows authenticated users to modify or delete critical site data. An attacker with a low-privilege account can bypass access controls to alter membership settings, user records, or marketplace configuration without proper permission checks. This affects multivendor WooCommerce installations relying on this plugin for membership management.

What an attacker can do

03Attacker Capabilities

Modify or delete membership data and site configuration without authorization.

Potential impact on your site

04Site Impact

Membership records, vendor data, or marketplace settings can be corrupted or deleted by unauthorized users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

July 8, 2026 CVE published
July 8, 2026 Record updated

Related vulnerabilities

08Related CVE