Product
Authenticated attackers with vendor-level access can exploit an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3688) in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress to change any user's role to 'wcfm_vendor' by manipulating membership plans, leading to unauthorized privilege escalation.