What the vulnerability does
01Description
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.
Explanation of Vulnerability in Simple Terms
02Summary
WCFM Membership plugin versions up to 2.11.10 contain an authorization flaw that allows authenticated users to modify or delete critical site data. An attacker with a low-privilege account can bypass access controls to alter membership settings, user records, or marketplace configuration without proper permission checks. This affects multivendor WooCommerce installations relying on this plugin for membership management.
What an attacker can do
03Attacker Capabilities
Modify or delete membership data and site configuration without authorization.
Potential impact on your site
04Site Impact
Membership records, vendor data, or marketplace settings can be corrupted or deleted by unauthorized users.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
July 8, 2026
CVE published
July 8, 2026
Record updated