{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wcfm-membership--woocommerce-memberships-for-multivendor-marketplace--2.11.10/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-3688"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WCFM Membership – WooCommerce Memberships for Multivendor Marketplace \u003c 2.11.10"],"_cs_severities":["high"],"_cs_tags":["wordpress","web","vulnerability","idor","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["WCLovers","WordPress","WooCommerce"],"content_html":"\u003cp\u003eA critical Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-3688, has been identified in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress, affecting all versions up to and including 2.11.10. This flaw stems from insufficient validation of user permissions within the 'wcfmvm_membership_change' AJAX action, failing to confirm if an authenticated user is authorized to modify other users' roles or membership plans. Exploitation allows an authenticated attacker, holding at least vendor-level privileges, to arbitrarily alter any user's role within the marketplace to 'wcfm_vendor'. This can lead to unauthorized account takeover, disruption of marketplace operations, and potential financial impact by granting malicious actors control over other vendor accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid authentication credentials for a WordPress account with at least vendor-level access on a site running the vulnerable WCFM Membership plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress site, establishing an authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eaction=wcfmvm_membership_change\u003c/code\u003e parameter along with specific data identifying a target user and a desired membership plan corresponding to the 'wcfm_vendor' role.\u003c/li\u003e\n\u003cli\u003eDue to the Insecure Direct Object Reference vulnerability (CVE-2026-3688), the plugin fails to properly validate whether the authenticated attacker has permission to modify the specified target user's membership.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the illicit request, updating the target user's membership plan.\u003c/li\u003e\n\u003cli\u003eThe target user's role within the WCFM marketplace is consequently changed to 'wcfm_vendor'.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized privilege escalation, gaining control over another user's vendor account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability carries a CVSS v3.1 Base Score of 8.1 (High), indicating significant impact. Successful exploitation by an authenticated attacker, even with basic vendor access, allows them to arbitrarily change the role of any other user to 'wcfm_vendor'. This directly translates to unauthorized privilege escalation, potentially granting attackers control over other legitimate vendor accounts within the marketplace. Such control can lead to disruption of normal marketplace operations, fraudulent transactions, data manipulation, reputation damage, and financial losses for the affected organization and its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u0026quot;WCFM Membership - WooCommerce Memberships for Multivendor Marketplace\u0026quot; plugin to a patched version greater than 2.11.10 to remediate CVE-2026-3688.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for any suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with \u003ccode\u003eaction=wcfmvm_membership_change\u003c/code\u003e that originate from unexpected IP addresses or accounts during the period the vulnerable plugin was active.\u003c/li\u003e\n\u003cli\u003eExamine WordPress user roles for any unauthorized changes to 'wcfm_vendor' during the period the vulnerable plugin was active.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T12:18:39Z","date_published":"2026-07-08T12:18:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-wcfm-idor/","summary":"Authenticated attackers with vendor-level access can exploit an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3688) in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress to change any user's role to 'wcfm_vendor' by manipulating membership plans, leading to unauthorized privilege escalation.","title":"CVE-2026-3688: WordPress WCFM Membership Plugin Insecure Direct Object Reference","url":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-wcfm-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - WCFM Membership – WooCommerce Memberships for Multivendor Marketplace \u003c 2.11.10","version":"https://jsonfeed.org/version/1.1"}