CVE-2026-3688: WordPress WCFM Membership Plugin Insecure Direct Object Reference
Authenticated attackers with vendor-level access can exploit an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3688) in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress to change any user's role to 'wcfm_vendor' by manipulating membership plans, leading to unauthorized privilege escalation.
A critical Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-3688, has been identified in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress, affecting all versions up to and including 2.11.10. This flaw stems from insufficient validation of user permissions within the 'wcfmvm_membership_change' AJAX action, failing to confirm if an authenticated user is authorized to modify other users' roles or membership plans. Exploitation allows an authenticated attacker, holding at least vendor-level privileges, to arbitrarily alter any user's role within the marketplace to 'wcfm_vendor'. This can lead to unauthorized account takeover, disruption of marketplace operations, and potential financial impact by granting malicious actors control over other vendor accounts.
Attack Chain
- An attacker obtains valid authentication credentials for a WordPress account with at least vendor-level access on a site running the vulnerable WCFM Membership plugin.
- The attacker logs into the WordPress site, establishing an authenticated session.
- The attacker crafts a malicious HTTP POST request targeting the
/wp-admin/admin-ajax.phpendpoint. - The crafted request includes the
action=wcfmvm_membership_changeparameter along with specific data identifying a target user and a desired membership plan corresponding to the 'wcfm_vendor' role. - Due to the Insecure Direct Object Reference vulnerability (CVE-2026-3688), the plugin fails to properly validate whether the authenticated attacker has permission to modify the specified target user's membership.
- The plugin processes the illicit request, updating the target user's membership plan.
- The target user's role within the WCFM marketplace is consequently changed to 'wcfm_vendor'.
- The attacker achieves unauthorized privilege escalation, gaining control over another user's vendor account.
Impact
This vulnerability carries a CVSS v3.1 Base Score of 8.1 (High), indicating significant impact. Successful exploitation by an authenticated attacker, even with basic vendor access, allows them to arbitrarily change the role of any other user to 'wcfm_vendor'. This directly translates to unauthorized privilege escalation, potentially granting attackers control over other legitimate vendor accounts within the marketplace. Such control can lead to disruption of normal marketplace operations, fraudulent transactions, data manipulation, reputation damage, and financial losses for the affected organization and its users.
Recommendation
- Immediately update the "WCFM Membership - WooCommerce Memberships for Multivendor Marketplace" plugin to a patched version greater than 2.11.10 to remediate CVE-2026-3688.
- Review web server access logs for any suspicious POST requests to
/wp-admin/admin-ajax.phpwithaction=wcfmvm_membership_changethat originate from unexpected IP addresses or accounts during the period the vulnerable plugin was active. - Examine WordPress user roles for any unauthorized changes to 'wcfm_vendor' during the period the vulnerable plugin was active.